1 //===-- NullabilityChecker.cpp - Nullability checker ----------------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This checker tries to find nullability violations. There are several kinds of 10 // possible violations: 11 // * Null pointer is passed to a pointer which has a _Nonnull type. 12 // * Null pointer is returned from a function which has a _Nonnull return type. 13 // * Nullable pointer is passed to a pointer which has a _Nonnull type. 14 // * Nullable pointer is returned from a function which has a _Nonnull return 15 // type. 16 // * Nullable pointer is dereferenced. 17 // 18 // This checker propagates the nullability information of the pointers and looks 19 // for the patterns that are described above. Explicit casts are trusted and are 20 // considered a way to suppress false positives for this checker. The other way 21 // to suppress warnings would be to add asserts or guarding if statements to the 22 // code. In addition to the nullability propagation this checker also uses some 23 // heuristics to suppress potential false positives. 24 // 25 //===----------------------------------------------------------------------===// 26 27 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 28 29 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 30 #include "clang/StaticAnalyzer/Core/Checker.h" 31 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 32 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" 33 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 34 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 35 36 #include "llvm/ADT/StringExtras.h" 37 #include "llvm/Support/Path.h" 38 39 using namespace clang; 40 using namespace ento; 41 42 namespace { 43 44 /// Returns the most nullable nullability. This is used for message expressions 45 /// like [receiver method], where the nullability of this expression is either 46 /// the nullability of the receiver or the nullability of the return type of the 47 /// method, depending on which is more nullable. Contradicted is considered to 48 /// be the most nullable, to avoid false positive results. 49 Nullability getMostNullable(Nullability Lhs, Nullability Rhs) { 50 return static_cast<Nullability>( 51 std::min(static_cast<char>(Lhs), static_cast<char>(Rhs))); 52 } 53 54 const char *getNullabilityString(Nullability Nullab) { 55 switch (Nullab) { 56 case Nullability::Contradicted: 57 return "contradicted"; 58 case Nullability::Nullable: 59 return "nullable"; 60 case Nullability::Unspecified: 61 return "unspecified"; 62 case Nullability::Nonnull: 63 return "nonnull"; 64 } 65 llvm_unreachable("Unexpected enumeration."); 66 return ""; 67 } 68 69 // These enums are used as an index to ErrorMessages array. 70 enum class ErrorKind : int { 71 NilAssignedToNonnull, 72 NilPassedToNonnull, 73 NilReturnedToNonnull, 74 NullableAssignedToNonnull, 75 NullableReturnedToNonnull, 76 NullableDereferenced, 77 NullablePassedToNonnull 78 }; 79 80 class NullabilityChecker 81 : public Checker<check::Bind, check::PreCall, check::PreStmt<ReturnStmt>, 82 check::PostCall, check::PostStmt<ExplicitCastExpr>, 83 check::PostObjCMessage, check::DeadSymbols, eval::Assume, 84 check::Location, check::Event<ImplicitNullDerefEvent>> { 85 86 public: 87 // If true, the checker will not diagnose nullabilility issues for calls 88 // to system headers. This option is motivated by the observation that large 89 // projects may have many nullability warnings. These projects may 90 // find warnings about nullability annotations that they have explicitly 91 // added themselves higher priority to fix than warnings on calls to system 92 // libraries. 93 bool NoDiagnoseCallsToSystemHeaders = false; 94 95 void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const; 96 void checkPostStmt(const ExplicitCastExpr *CE, CheckerContext &C) const; 97 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 98 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const; 99 void checkPostCall(const CallEvent &Call, CheckerContext &C) const; 100 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 101 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; 102 void checkEvent(ImplicitNullDerefEvent Event) const; 103 void checkLocation(SVal Location, bool IsLoad, const Stmt *S, 104 CheckerContext &C) const; 105 ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond, 106 bool Assumption) const; 107 108 void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, 109 const char *Sep) const override; 110 111 enum CheckKind { 112 CK_NullPassedToNonnull, 113 CK_NullReturnedFromNonnull, 114 CK_NullableDereferenced, 115 CK_NullablePassedToNonnull, 116 CK_NullableReturnedFromNonnull, 117 CK_NumCheckKinds 118 }; 119 120 bool ChecksEnabled[CK_NumCheckKinds] = {false}; 121 CheckerNameRef CheckNames[CK_NumCheckKinds]; 122 mutable std::unique_ptr<BugType> BTs[CK_NumCheckKinds]; 123 124 const std::unique_ptr<BugType> &getBugType(CheckKind Kind) const { 125 if (!BTs[Kind]) 126 BTs[Kind].reset(new BugType(CheckNames[Kind], "Nullability", 127 categories::MemoryError)); 128 return BTs[Kind]; 129 } 130 131 // When set to false no nullability information will be tracked in 132 // NullabilityMap. It is possible to catch errors like passing a null pointer 133 // to a callee that expects nonnull argument without the information that is 134 // stored in the NullabilityMap. This is an optimization. 135 bool NeedTracking = false; 136 137 private: 138 class NullabilityBugVisitor : public BugReporterVisitor { 139 public: 140 NullabilityBugVisitor(const MemRegion *M) : Region(M) {} 141 142 void Profile(llvm::FoldingSetNodeID &ID) const override { 143 static int X = 0; 144 ID.AddPointer(&X); 145 ID.AddPointer(Region); 146 } 147 148 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 149 BugReporterContext &BRC, 150 PathSensitiveBugReport &BR) override; 151 152 private: 153 // The tracked region. 154 const MemRegion *Region; 155 }; 156 157 /// When any of the nonnull arguments of the analyzed function is null, do not 158 /// report anything and turn off the check. 159 /// 160 /// When \p SuppressPath is set to true, no more bugs will be reported on this 161 /// path by this checker. 162 void reportBugIfInvariantHolds(StringRef Msg, ErrorKind Error, CheckKind CK, 163 ExplodedNode *N, const MemRegion *Region, 164 CheckerContext &C, 165 const Stmt *ValueExpr = nullptr, 166 bool SuppressPath = false) const; 167 168 void reportBug(StringRef Msg, ErrorKind Error, CheckKind CK, ExplodedNode *N, 169 const MemRegion *Region, BugReporter &BR, 170 const Stmt *ValueExpr = nullptr) const { 171 const std::unique_ptr<BugType> &BT = getBugType(CK); 172 auto R = std::make_unique<PathSensitiveBugReport>(*BT, Msg, N); 173 if (Region) { 174 R->markInteresting(Region); 175 R->addVisitor<NullabilityBugVisitor>(Region); 176 } 177 if (ValueExpr) { 178 R->addRange(ValueExpr->getSourceRange()); 179 if (Error == ErrorKind::NilAssignedToNonnull || 180 Error == ErrorKind::NilPassedToNonnull || 181 Error == ErrorKind::NilReturnedToNonnull) 182 if (const auto *Ex = dyn_cast<Expr>(ValueExpr)) 183 bugreporter::trackExpressionValue(N, Ex, *R); 184 } 185 BR.emitReport(std::move(R)); 186 } 187 188 /// If an SVal wraps a region that should be tracked, it will return a pointer 189 /// to the wrapped region. Otherwise it will return a nullptr. 190 const SymbolicRegion *getTrackRegion(SVal Val, 191 bool CheckSuperRegion = false) const; 192 193 /// Returns true if the call is diagnosable in the current analyzer 194 /// configuration. 195 bool isDiagnosableCall(const CallEvent &Call) const { 196 if (NoDiagnoseCallsToSystemHeaders && Call.isInSystemHeader()) 197 return false; 198 199 return true; 200 } 201 }; 202 203 class NullabilityState { 204 public: 205 NullabilityState(Nullability Nullab, const Stmt *Source = nullptr) 206 : Nullab(Nullab), Source(Source) {} 207 208 const Stmt *getNullabilitySource() const { return Source; } 209 210 Nullability getValue() const { return Nullab; } 211 212 void Profile(llvm::FoldingSetNodeID &ID) const { 213 ID.AddInteger(static_cast<char>(Nullab)); 214 ID.AddPointer(Source); 215 } 216 217 void print(raw_ostream &Out) const { 218 Out << getNullabilityString(Nullab) << "\n"; 219 } 220 221 private: 222 Nullability Nullab; 223 // Source is the expression which determined the nullability. For example in a 224 // message like [nullable nonnull_returning] has nullable nullability, because 225 // the receiver is nullable. Here the receiver will be the source of the 226 // nullability. This is useful information when the diagnostics are generated. 227 const Stmt *Source; 228 }; 229 230 bool operator==(NullabilityState Lhs, NullabilityState Rhs) { 231 return Lhs.getValue() == Rhs.getValue() && 232 Lhs.getNullabilitySource() == Rhs.getNullabilitySource(); 233 } 234 235 // For the purpose of tracking historical property accesses, the key for lookup 236 // is an object pointer (could be an instance or a class) paired with the unique 237 // identifier for the property being invoked on that object. 238 using ObjectPropPair = std::pair<const MemRegion *, const IdentifierInfo *>; 239 240 // Metadata associated with the return value from a recorded property access. 241 struct ConstrainedPropertyVal { 242 // This will reference the conjured return SVal for some call 243 // of the form [object property] 244 DefinedOrUnknownSVal Value; 245 246 // If the SVal has been determined to be nonnull, that is recorded here 247 bool isConstrainedNonnull; 248 249 ConstrainedPropertyVal(DefinedOrUnknownSVal SV) 250 : Value(SV), isConstrainedNonnull(false) {} 251 252 void Profile(llvm::FoldingSetNodeID &ID) const { 253 Value.Profile(ID); 254 ID.AddInteger(isConstrainedNonnull ? 1 : 0); 255 } 256 }; 257 258 bool operator==(const ConstrainedPropertyVal &Lhs, 259 const ConstrainedPropertyVal &Rhs) { 260 return Lhs.Value == Rhs.Value && 261 Lhs.isConstrainedNonnull == Rhs.isConstrainedNonnull; 262 } 263 264 } // end anonymous namespace 265 266 REGISTER_MAP_WITH_PROGRAMSTATE(NullabilityMap, const MemRegion *, 267 NullabilityState) 268 REGISTER_MAP_WITH_PROGRAMSTATE(PropertyAccessesMap, ObjectPropPair, 269 ConstrainedPropertyVal) 270 271 // We say "the nullability type invariant is violated" when a location with a 272 // non-null type contains NULL or a function with a non-null return type returns 273 // NULL. Violations of the nullability type invariant can be detected either 274 // directly (for example, when NULL is passed as an argument to a nonnull 275 // parameter) or indirectly (for example, when, inside a function, the 276 // programmer defensively checks whether a nonnull parameter contains NULL and 277 // finds that it does). 278 // 279 // As a matter of policy, the nullability checker typically warns on direct 280 // violations of the nullability invariant (although it uses various 281 // heuristics to suppress warnings in some cases) but will not warn if the 282 // invariant has already been violated along the path (either directly or 283 // indirectly). As a practical matter, this prevents the analyzer from 284 // (1) warning on defensive code paths where a nullability precondition is 285 // determined to have been violated, (2) warning additional times after an 286 // initial direct violation has been discovered, and (3) warning after a direct 287 // violation that has been implicitly or explicitly suppressed (for 288 // example, with a cast of NULL to _Nonnull). In essence, once an invariant 289 // violation is detected on a path, this checker will be essentially turned off 290 // for the rest of the analysis 291 // 292 // The analyzer takes this approach (rather than generating a sink node) to 293 // ensure coverage of defensive paths, which may be important for backwards 294 // compatibility in codebases that were developed without nullability in mind. 295 REGISTER_TRAIT_WITH_PROGRAMSTATE(InvariantViolated, bool) 296 297 enum class NullConstraint { IsNull, IsNotNull, Unknown }; 298 299 static NullConstraint getNullConstraint(DefinedOrUnknownSVal Val, 300 ProgramStateRef State) { 301 ConditionTruthVal Nullness = State->isNull(Val); 302 if (Nullness.isConstrainedFalse()) 303 return NullConstraint::IsNotNull; 304 if (Nullness.isConstrainedTrue()) 305 return NullConstraint::IsNull; 306 return NullConstraint::Unknown; 307 } 308 309 static bool isValidPointerType(QualType T) { 310 return T->isAnyPointerType() || T->isBlockPointerType(); 311 } 312 313 const SymbolicRegion * 314 NullabilityChecker::getTrackRegion(SVal Val, bool CheckSuperRegion) const { 315 if (!NeedTracking) 316 return nullptr; 317 318 auto RegionSVal = Val.getAs<loc::MemRegionVal>(); 319 if (!RegionSVal) 320 return nullptr; 321 322 const MemRegion *Region = RegionSVal->getRegion(); 323 324 if (CheckSuperRegion) { 325 if (const SubRegion *FieldReg = Region->getAs<FieldRegion>()) { 326 if (const auto *ER = dyn_cast<ElementRegion>(FieldReg->getSuperRegion())) 327 FieldReg = ER; 328 return dyn_cast<SymbolicRegion>(FieldReg->getSuperRegion()); 329 } 330 if (auto ElementReg = Region->getAs<ElementRegion>()) 331 return dyn_cast<SymbolicRegion>(ElementReg->getSuperRegion()); 332 } 333 334 return dyn_cast<SymbolicRegion>(Region); 335 } 336 337 PathDiagnosticPieceRef NullabilityChecker::NullabilityBugVisitor::VisitNode( 338 const ExplodedNode *N, BugReporterContext &BRC, 339 PathSensitiveBugReport &BR) { 340 ProgramStateRef State = N->getState(); 341 ProgramStateRef StatePrev = N->getFirstPred()->getState(); 342 343 const NullabilityState *TrackedNullab = State->get<NullabilityMap>(Region); 344 const NullabilityState *TrackedNullabPrev = 345 StatePrev->get<NullabilityMap>(Region); 346 if (!TrackedNullab) 347 return nullptr; 348 349 if (TrackedNullabPrev && 350 TrackedNullabPrev->getValue() == TrackedNullab->getValue()) 351 return nullptr; 352 353 // Retrieve the associated statement. 354 const Stmt *S = TrackedNullab->getNullabilitySource(); 355 if (!S || S->getBeginLoc().isInvalid()) { 356 S = N->getStmtForDiagnostics(); 357 } 358 359 if (!S) 360 return nullptr; 361 362 std::string InfoText = 363 (llvm::Twine("Nullability '") + 364 getNullabilityString(TrackedNullab->getValue()) + "' is inferred") 365 .str(); 366 367 // Generate the extra diagnostic. 368 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 369 N->getLocationContext()); 370 return std::make_shared<PathDiagnosticEventPiece>(Pos, InfoText, true); 371 } 372 373 /// Returns true when the value stored at the given location has been 374 /// constrained to null after being passed through an object of nonnnull type. 375 static bool checkValueAtLValForInvariantViolation(ProgramStateRef State, 376 SVal LV, QualType T) { 377 if (getNullabilityAnnotation(T) != Nullability::Nonnull) 378 return false; 379 380 auto RegionVal = LV.getAs<loc::MemRegionVal>(); 381 if (!RegionVal) 382 return false; 383 384 // If the value was constrained to null *after* it was passed through that 385 // location, it could not have been a concrete pointer *when* it was passed. 386 // In that case we would have handled the situation when the value was 387 // bound to that location, by emitting (or not emitting) a report. 388 // Therefore we are only interested in symbolic regions that can be either 389 // null or non-null depending on the value of their respective symbol. 390 auto StoredVal = State->getSVal(*RegionVal).getAs<loc::MemRegionVal>(); 391 if (!StoredVal || !isa<SymbolicRegion>(StoredVal->getRegion())) 392 return false; 393 394 if (getNullConstraint(*StoredVal, State) == NullConstraint::IsNull) 395 return true; 396 397 return false; 398 } 399 400 static bool 401 checkParamsForPreconditionViolation(ArrayRef<ParmVarDecl *> Params, 402 ProgramStateRef State, 403 const LocationContext *LocCtxt) { 404 for (const auto *ParamDecl : Params) { 405 if (ParamDecl->isParameterPack()) 406 break; 407 408 SVal LV = State->getLValue(ParamDecl, LocCtxt); 409 if (checkValueAtLValForInvariantViolation(State, LV, 410 ParamDecl->getType())) { 411 return true; 412 } 413 } 414 return false; 415 } 416 417 static bool 418 checkSelfIvarsForInvariantViolation(ProgramStateRef State, 419 const LocationContext *LocCtxt) { 420 auto *MD = dyn_cast<ObjCMethodDecl>(LocCtxt->getDecl()); 421 if (!MD || !MD->isInstanceMethod()) 422 return false; 423 424 const ImplicitParamDecl *SelfDecl = LocCtxt->getSelfDecl(); 425 if (!SelfDecl) 426 return false; 427 428 SVal SelfVal = State->getSVal(State->getRegion(SelfDecl, LocCtxt)); 429 430 const ObjCObjectPointerType *SelfType = 431 dyn_cast<ObjCObjectPointerType>(SelfDecl->getType()); 432 if (!SelfType) 433 return false; 434 435 const ObjCInterfaceDecl *ID = SelfType->getInterfaceDecl(); 436 if (!ID) 437 return false; 438 439 for (const auto *IvarDecl : ID->ivars()) { 440 SVal LV = State->getLValue(IvarDecl, SelfVal); 441 if (checkValueAtLValForInvariantViolation(State, LV, IvarDecl->getType())) { 442 return true; 443 } 444 } 445 return false; 446 } 447 448 static bool checkInvariantViolation(ProgramStateRef State, ExplodedNode *N, 449 CheckerContext &C) { 450 if (State->get<InvariantViolated>()) 451 return true; 452 453 const LocationContext *LocCtxt = C.getLocationContext(); 454 const Decl *D = LocCtxt->getDecl(); 455 if (!D) 456 return false; 457 458 ArrayRef<ParmVarDecl*> Params; 459 if (const auto *BD = dyn_cast<BlockDecl>(D)) 460 Params = BD->parameters(); 461 else if (const auto *FD = dyn_cast<FunctionDecl>(D)) 462 Params = FD->parameters(); 463 else if (const auto *MD = dyn_cast<ObjCMethodDecl>(D)) 464 Params = MD->parameters(); 465 else 466 return false; 467 468 if (checkParamsForPreconditionViolation(Params, State, LocCtxt) || 469 checkSelfIvarsForInvariantViolation(State, LocCtxt)) { 470 if (!N->isSink()) 471 C.addTransition(State->set<InvariantViolated>(true), N); 472 return true; 473 } 474 return false; 475 } 476 477 void NullabilityChecker::reportBugIfInvariantHolds( 478 StringRef Msg, ErrorKind Error, CheckKind CK, ExplodedNode *N, 479 const MemRegion *Region, CheckerContext &C, const Stmt *ValueExpr, 480 bool SuppressPath) const { 481 ProgramStateRef OriginalState = N->getState(); 482 483 if (checkInvariantViolation(OriginalState, N, C)) 484 return; 485 if (SuppressPath) { 486 OriginalState = OriginalState->set<InvariantViolated>(true); 487 N = C.addTransition(OriginalState, N); 488 } 489 490 reportBug(Msg, Error, CK, N, Region, C.getBugReporter(), ValueExpr); 491 } 492 493 /// Cleaning up the program state. 494 void NullabilityChecker::checkDeadSymbols(SymbolReaper &SR, 495 CheckerContext &C) const { 496 ProgramStateRef State = C.getState(); 497 NullabilityMapTy Nullabilities = State->get<NullabilityMap>(); 498 for (NullabilityMapTy::iterator I = Nullabilities.begin(), 499 E = Nullabilities.end(); 500 I != E; ++I) { 501 const auto *Region = I->first->getAs<SymbolicRegion>(); 502 assert(Region && "Non-symbolic region is tracked."); 503 if (SR.isDead(Region->getSymbol())) { 504 State = State->remove<NullabilityMap>(I->first); 505 } 506 } 507 508 // When an object goes out of scope, we can free the history associated 509 // with any property accesses on that object 510 PropertyAccessesMapTy PropertyAccesses = State->get<PropertyAccessesMap>(); 511 for (PropertyAccessesMapTy::iterator I = PropertyAccesses.begin(), 512 E = PropertyAccesses.end(); 513 I != E; ++I) { 514 const MemRegion *ReceiverRegion = I->first.first; 515 if (!SR.isLiveRegion(ReceiverRegion)) { 516 State = State->remove<PropertyAccessesMap>(I->first); 517 } 518 } 519 520 // When one of the nonnull arguments are constrained to be null, nullability 521 // preconditions are violated. It is not enough to check this only when we 522 // actually report an error, because at that time interesting symbols might be 523 // reaped. 524 if (checkInvariantViolation(State, C.getPredecessor(), C)) 525 return; 526 C.addTransition(State); 527 } 528 529 /// This callback triggers when a pointer is dereferenced and the analyzer does 530 /// not know anything about the value of that pointer. When that pointer is 531 /// nullable, this code emits a warning. 532 void NullabilityChecker::checkEvent(ImplicitNullDerefEvent Event) const { 533 if (Event.SinkNode->getState()->get<InvariantViolated>()) 534 return; 535 536 const MemRegion *Region = 537 getTrackRegion(Event.Location, /*CheckSuperRegion=*/true); 538 if (!Region) 539 return; 540 541 ProgramStateRef State = Event.SinkNode->getState(); 542 const NullabilityState *TrackedNullability = 543 State->get<NullabilityMap>(Region); 544 545 if (!TrackedNullability) 546 return; 547 548 if (ChecksEnabled[CK_NullableDereferenced] && 549 TrackedNullability->getValue() == Nullability::Nullable) { 550 BugReporter &BR = *Event.BR; 551 // Do not suppress errors on defensive code paths, because dereferencing 552 // a nullable pointer is always an error. 553 if (Event.IsDirectDereference) 554 reportBug("Nullable pointer is dereferenced", 555 ErrorKind::NullableDereferenced, CK_NullableDereferenced, 556 Event.SinkNode, Region, BR); 557 else { 558 reportBug("Nullable pointer is passed to a callee that requires a " 559 "non-null", 560 ErrorKind::NullablePassedToNonnull, CK_NullableDereferenced, 561 Event.SinkNode, Region, BR); 562 } 563 } 564 } 565 566 // Whenever we see a load from a typed memory region that's been annotated as 567 // 'nonnull', we want to trust the user on that and assume that it is is indeed 568 // non-null. 569 // 570 // We do so even if the value is known to have been assigned to null. 571 // The user should be warned on assigning the null value to a non-null pointer 572 // as opposed to warning on the later dereference of this pointer. 573 // 574 // \code 575 // int * _Nonnull var = 0; // we want to warn the user here... 576 // // . . . 577 // *var = 42; // ...and not here 578 // \endcode 579 void NullabilityChecker::checkLocation(SVal Location, bool IsLoad, 580 const Stmt *S, 581 CheckerContext &Context) const { 582 // We should care only about loads. 583 // The main idea is to add a constraint whenever we're loading a value from 584 // an annotated pointer type. 585 if (!IsLoad) 586 return; 587 588 // Annotations that we want to consider make sense only for types. 589 const auto *Region = 590 dyn_cast_or_null<TypedValueRegion>(Location.getAsRegion()); 591 if (!Region) 592 return; 593 594 ProgramStateRef State = Context.getState(); 595 596 auto StoredVal = State->getSVal(Region).getAs<loc::MemRegionVal>(); 597 if (!StoredVal) 598 return; 599 600 Nullability NullabilityOfTheLoadedValue = 601 getNullabilityAnnotation(Region->getValueType()); 602 603 if (NullabilityOfTheLoadedValue == Nullability::Nonnull) { 604 // It doesn't matter what we think about this particular pointer, it should 605 // be considered non-null as annotated by the developer. 606 if (ProgramStateRef NewState = State->assume(*StoredVal, true)) { 607 Context.addTransition(NewState); 608 } 609 } 610 } 611 612 /// Find the outermost subexpression of E that is not an implicit cast. 613 /// This looks through the implicit casts to _Nonnull that ARC adds to 614 /// return expressions of ObjC types when the return type of the function or 615 /// method is non-null but the express is not. 616 static const Expr *lookThroughImplicitCasts(const Expr *E) { 617 return E->IgnoreImpCasts(); 618 } 619 620 /// This method check when nullable pointer or null value is returned from a 621 /// function that has nonnull return type. 622 void NullabilityChecker::checkPreStmt(const ReturnStmt *S, 623 CheckerContext &C) const { 624 auto RetExpr = S->getRetValue(); 625 if (!RetExpr) 626 return; 627 628 if (!isValidPointerType(RetExpr->getType())) 629 return; 630 631 ProgramStateRef State = C.getState(); 632 if (State->get<InvariantViolated>()) 633 return; 634 635 auto RetSVal = C.getSVal(S).getAs<DefinedOrUnknownSVal>(); 636 if (!RetSVal) 637 return; 638 639 bool InSuppressedMethodFamily = false; 640 641 QualType RequiredRetType; 642 AnalysisDeclContext *DeclCtxt = 643 C.getLocationContext()->getAnalysisDeclContext(); 644 const Decl *D = DeclCtxt->getDecl(); 645 if (auto *MD = dyn_cast<ObjCMethodDecl>(D)) { 646 // HACK: This is a big hammer to avoid warning when there are defensive 647 // nil checks in -init and -copy methods. We should add more sophisticated 648 // logic here to suppress on common defensive idioms but still 649 // warn when there is a likely problem. 650 ObjCMethodFamily Family = MD->getMethodFamily(); 651 if (OMF_init == Family || OMF_copy == Family || OMF_mutableCopy == Family) 652 InSuppressedMethodFamily = true; 653 654 RequiredRetType = MD->getReturnType(); 655 } else if (auto *FD = dyn_cast<FunctionDecl>(D)) { 656 RequiredRetType = FD->getReturnType(); 657 } else { 658 return; 659 } 660 661 NullConstraint Nullness = getNullConstraint(*RetSVal, State); 662 663 Nullability RequiredNullability = getNullabilityAnnotation(RequiredRetType); 664 665 // If the returned value is null but the type of the expression 666 // generating it is nonnull then we will suppress the diagnostic. 667 // This enables explicit suppression when returning a nil literal in a 668 // function with a _Nonnull return type: 669 // return (NSString * _Nonnull)0; 670 Nullability RetExprTypeLevelNullability = 671 getNullabilityAnnotation(lookThroughImplicitCasts(RetExpr)->getType()); 672 673 bool NullReturnedFromNonNull = (RequiredNullability == Nullability::Nonnull && 674 Nullness == NullConstraint::IsNull); 675 if (ChecksEnabled[CK_NullReturnedFromNonnull] && NullReturnedFromNonNull && 676 RetExprTypeLevelNullability != Nullability::Nonnull && 677 !InSuppressedMethodFamily && C.getLocationContext()->inTopFrame()) { 678 static CheckerProgramPointTag Tag(this, "NullReturnedFromNonnull"); 679 ExplodedNode *N = C.generateErrorNode(State, &Tag); 680 if (!N) 681 return; 682 683 SmallString<256> SBuf; 684 llvm::raw_svector_ostream OS(SBuf); 685 OS << (RetExpr->getType()->isObjCObjectPointerType() ? "nil" : "Null"); 686 OS << " returned from a " << C.getDeclDescription(D) << 687 " that is expected to return a non-null value"; 688 reportBugIfInvariantHolds(OS.str(), ErrorKind::NilReturnedToNonnull, 689 CK_NullReturnedFromNonnull, N, nullptr, C, 690 RetExpr); 691 return; 692 } 693 694 // If null was returned from a non-null function, mark the nullability 695 // invariant as violated even if the diagnostic was suppressed. 696 if (NullReturnedFromNonNull) { 697 State = State->set<InvariantViolated>(true); 698 C.addTransition(State); 699 return; 700 } 701 702 const MemRegion *Region = getTrackRegion(*RetSVal); 703 if (!Region) 704 return; 705 706 const NullabilityState *TrackedNullability = 707 State->get<NullabilityMap>(Region); 708 if (TrackedNullability) { 709 Nullability TrackedNullabValue = TrackedNullability->getValue(); 710 if (ChecksEnabled[CK_NullableReturnedFromNonnull] && 711 Nullness != NullConstraint::IsNotNull && 712 TrackedNullabValue == Nullability::Nullable && 713 RequiredNullability == Nullability::Nonnull) { 714 static CheckerProgramPointTag Tag(this, "NullableReturnedFromNonnull"); 715 ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag); 716 717 SmallString<256> SBuf; 718 llvm::raw_svector_ostream OS(SBuf); 719 OS << "Nullable pointer is returned from a " << C.getDeclDescription(D) << 720 " that is expected to return a non-null value"; 721 722 reportBugIfInvariantHolds(OS.str(), ErrorKind::NullableReturnedToNonnull, 723 CK_NullableReturnedFromNonnull, N, Region, C); 724 } 725 return; 726 } 727 if (RequiredNullability == Nullability::Nullable) { 728 State = State->set<NullabilityMap>(Region, 729 NullabilityState(RequiredNullability, 730 S)); 731 C.addTransition(State); 732 } 733 } 734 735 /// This callback warns when a nullable pointer or a null value is passed to a 736 /// function that expects its argument to be nonnull. 737 void NullabilityChecker::checkPreCall(const CallEvent &Call, 738 CheckerContext &C) const { 739 if (!Call.getDecl()) 740 return; 741 742 ProgramStateRef State = C.getState(); 743 if (State->get<InvariantViolated>()) 744 return; 745 746 ProgramStateRef OrigState = State; 747 748 unsigned Idx = 0; 749 for (const ParmVarDecl *Param : Call.parameters()) { 750 if (Param->isParameterPack()) 751 break; 752 753 if (Idx >= Call.getNumArgs()) 754 break; 755 756 const Expr *ArgExpr = Call.getArgExpr(Idx); 757 auto ArgSVal = Call.getArgSVal(Idx++).getAs<DefinedOrUnknownSVal>(); 758 if (!ArgSVal) 759 continue; 760 761 if (!isValidPointerType(Param->getType()) && 762 !Param->getType()->isReferenceType()) 763 continue; 764 765 NullConstraint Nullness = getNullConstraint(*ArgSVal, State); 766 767 Nullability RequiredNullability = 768 getNullabilityAnnotation(Param->getType()); 769 Nullability ArgExprTypeLevelNullability = 770 getNullabilityAnnotation(ArgExpr->getType()); 771 772 unsigned ParamIdx = Param->getFunctionScopeIndex() + 1; 773 774 if (ChecksEnabled[CK_NullPassedToNonnull] && 775 Nullness == NullConstraint::IsNull && 776 ArgExprTypeLevelNullability != Nullability::Nonnull && 777 RequiredNullability == Nullability::Nonnull && 778 isDiagnosableCall(Call)) { 779 ExplodedNode *N = C.generateErrorNode(State); 780 if (!N) 781 return; 782 783 SmallString<256> SBuf; 784 llvm::raw_svector_ostream OS(SBuf); 785 OS << (Param->getType()->isObjCObjectPointerType() ? "nil" : "Null"); 786 OS << " passed to a callee that requires a non-null " << ParamIdx 787 << llvm::getOrdinalSuffix(ParamIdx) << " parameter"; 788 reportBugIfInvariantHolds(OS.str(), ErrorKind::NilPassedToNonnull, 789 CK_NullPassedToNonnull, N, nullptr, C, ArgExpr, 790 /*SuppressPath=*/false); 791 return; 792 } 793 794 const MemRegion *Region = getTrackRegion(*ArgSVal); 795 if (!Region) 796 continue; 797 798 const NullabilityState *TrackedNullability = 799 State->get<NullabilityMap>(Region); 800 801 if (TrackedNullability) { 802 if (Nullness == NullConstraint::IsNotNull || 803 TrackedNullability->getValue() != Nullability::Nullable) 804 continue; 805 806 if (ChecksEnabled[CK_NullablePassedToNonnull] && 807 RequiredNullability == Nullability::Nonnull && 808 isDiagnosableCall(Call)) { 809 ExplodedNode *N = C.addTransition(State); 810 SmallString<256> SBuf; 811 llvm::raw_svector_ostream OS(SBuf); 812 OS << "Nullable pointer is passed to a callee that requires a non-null " 813 << ParamIdx << llvm::getOrdinalSuffix(ParamIdx) << " parameter"; 814 reportBugIfInvariantHolds(OS.str(), ErrorKind::NullablePassedToNonnull, 815 CK_NullablePassedToNonnull, N, Region, C, 816 ArgExpr, /*SuppressPath=*/true); 817 return; 818 } 819 if (ChecksEnabled[CK_NullableDereferenced] && 820 Param->getType()->isReferenceType()) { 821 ExplodedNode *N = C.addTransition(State); 822 reportBugIfInvariantHolds("Nullable pointer is dereferenced", 823 ErrorKind::NullableDereferenced, 824 CK_NullableDereferenced, N, Region, C, 825 ArgExpr, /*SuppressPath=*/true); 826 return; 827 } 828 continue; 829 } 830 } 831 if (State != OrigState) 832 C.addTransition(State); 833 } 834 835 /// Suppress the nullability warnings for some functions. 836 void NullabilityChecker::checkPostCall(const CallEvent &Call, 837 CheckerContext &C) const { 838 auto Decl = Call.getDecl(); 839 if (!Decl) 840 return; 841 // ObjC Messages handles in a different callback. 842 if (Call.getKind() == CE_ObjCMessage) 843 return; 844 const FunctionType *FuncType = Decl->getFunctionType(); 845 if (!FuncType) 846 return; 847 QualType ReturnType = FuncType->getReturnType(); 848 if (!isValidPointerType(ReturnType)) 849 return; 850 ProgramStateRef State = C.getState(); 851 if (State->get<InvariantViolated>()) 852 return; 853 854 const MemRegion *Region = getTrackRegion(Call.getReturnValue()); 855 if (!Region) 856 return; 857 858 // CG headers are misannotated. Do not warn for symbols that are the results 859 // of CG calls. 860 const SourceManager &SM = C.getSourceManager(); 861 StringRef FilePath = SM.getFilename(SM.getSpellingLoc(Decl->getBeginLoc())); 862 if (llvm::sys::path::filename(FilePath).startswith("CG")) { 863 State = State->set<NullabilityMap>(Region, Nullability::Contradicted); 864 C.addTransition(State); 865 return; 866 } 867 868 const NullabilityState *TrackedNullability = 869 State->get<NullabilityMap>(Region); 870 871 if (!TrackedNullability && 872 getNullabilityAnnotation(ReturnType) == Nullability::Nullable) { 873 State = State->set<NullabilityMap>(Region, Nullability::Nullable); 874 C.addTransition(State); 875 } 876 } 877 878 static Nullability getReceiverNullability(const ObjCMethodCall &M, 879 ProgramStateRef State) { 880 if (M.isReceiverSelfOrSuper()) { 881 // For super and super class receivers we assume that the receiver is 882 // nonnull. 883 return Nullability::Nonnull; 884 } 885 // Otherwise look up nullability in the state. 886 SVal Receiver = M.getReceiverSVal(); 887 if (auto DefOrUnknown = Receiver.getAs<DefinedOrUnknownSVal>()) { 888 // If the receiver is constrained to be nonnull, assume that it is nonnull 889 // regardless of its type. 890 NullConstraint Nullness = getNullConstraint(*DefOrUnknown, State); 891 if (Nullness == NullConstraint::IsNotNull) 892 return Nullability::Nonnull; 893 } 894 auto ValueRegionSVal = Receiver.getAs<loc::MemRegionVal>(); 895 if (ValueRegionSVal) { 896 const MemRegion *SelfRegion = ValueRegionSVal->getRegion(); 897 assert(SelfRegion); 898 899 const NullabilityState *TrackedSelfNullability = 900 State->get<NullabilityMap>(SelfRegion); 901 if (TrackedSelfNullability) 902 return TrackedSelfNullability->getValue(); 903 } 904 return Nullability::Unspecified; 905 } 906 907 // The return value of a property access is typically a temporary value which 908 // will not be tracked in a persistent manner by the analyzer. We use 909 // evalAssume() in order to immediately record constraints on those temporaries 910 // at the time they are imposed (e.g. by a nil-check conditional). 911 ProgramStateRef NullabilityChecker::evalAssume(ProgramStateRef State, SVal Cond, 912 bool Assumption) const { 913 PropertyAccessesMapTy PropertyAccesses = State->get<PropertyAccessesMap>(); 914 for (PropertyAccessesMapTy::iterator I = PropertyAccesses.begin(), 915 E = PropertyAccesses.end(); 916 I != E; ++I) { 917 if (!I->second.isConstrainedNonnull) { 918 ConditionTruthVal IsNonNull = State->isNonNull(I->second.Value); 919 if (IsNonNull.isConstrainedTrue()) { 920 ConstrainedPropertyVal Replacement = I->second; 921 Replacement.isConstrainedNonnull = true; 922 State = State->set<PropertyAccessesMap>(I->first, Replacement); 923 } else if (IsNonNull.isConstrainedFalse()) { 924 // Space optimization: no point in tracking constrained-null cases 925 State = State->remove<PropertyAccessesMap>(I->first); 926 } 927 } 928 } 929 930 return State; 931 } 932 933 /// Calculate the nullability of the result of a message expr based on the 934 /// nullability of the receiver, the nullability of the return value, and the 935 /// constraints. 936 void NullabilityChecker::checkPostObjCMessage(const ObjCMethodCall &M, 937 CheckerContext &C) const { 938 auto Decl = M.getDecl(); 939 if (!Decl) 940 return; 941 QualType RetType = Decl->getReturnType(); 942 if (!isValidPointerType(RetType)) 943 return; 944 945 ProgramStateRef State = C.getState(); 946 if (State->get<InvariantViolated>()) 947 return; 948 949 const MemRegion *ReturnRegion = getTrackRegion(M.getReturnValue()); 950 if (!ReturnRegion) 951 return; 952 953 auto Interface = Decl->getClassInterface(); 954 auto Name = Interface ? Interface->getName() : ""; 955 // In order to reduce the noise in the diagnostics generated by this checker, 956 // some framework and programming style based heuristics are used. These 957 // heuristics are for Cocoa APIs which have NS prefix. 958 if (Name.startswith("NS")) { 959 // Developers rely on dynamic invariants such as an item should be available 960 // in a collection, or a collection is not empty often. Those invariants can 961 // not be inferred by any static analysis tool. To not to bother the users 962 // with too many false positives, every item retrieval function should be 963 // ignored for collections. The instance methods of dictionaries in Cocoa 964 // are either item retrieval related or not interesting nullability wise. 965 // Using this fact, to keep the code easier to read just ignore the return 966 // value of every instance method of dictionaries. 967 if (M.isInstanceMessage() && Name.contains("Dictionary")) { 968 State = 969 State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted); 970 C.addTransition(State); 971 return; 972 } 973 // For similar reasons ignore some methods of Cocoa arrays. 974 StringRef FirstSelectorSlot = M.getSelector().getNameForSlot(0); 975 if (Name.contains("Array") && 976 (FirstSelectorSlot == "firstObject" || 977 FirstSelectorSlot == "lastObject")) { 978 State = 979 State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted); 980 C.addTransition(State); 981 return; 982 } 983 984 // Encoding related methods of string should not fail when lossless 985 // encodings are used. Using lossless encodings is so frequent that ignoring 986 // this class of methods reduced the emitted diagnostics by about 30% on 987 // some projects (and all of that was false positives). 988 if (Name.contains("String")) { 989 for (auto *Param : M.parameters()) { 990 if (Param->getName() == "encoding") { 991 State = State->set<NullabilityMap>(ReturnRegion, 992 Nullability::Contradicted); 993 C.addTransition(State); 994 return; 995 } 996 } 997 } 998 } 999 1000 const ObjCMessageExpr *Message = M.getOriginExpr(); 1001 Nullability SelfNullability = getReceiverNullability(M, State); 1002 1003 const NullabilityState *NullabilityOfReturn = 1004 State->get<NullabilityMap>(ReturnRegion); 1005 1006 if (NullabilityOfReturn) { 1007 // When we have a nullability tracked for the return value, the nullability 1008 // of the expression will be the most nullable of the receiver and the 1009 // return value. 1010 Nullability RetValTracked = NullabilityOfReturn->getValue(); 1011 Nullability ComputedNullab = 1012 getMostNullable(RetValTracked, SelfNullability); 1013 if (ComputedNullab != RetValTracked && 1014 ComputedNullab != Nullability::Unspecified) { 1015 const Stmt *NullabilitySource = 1016 ComputedNullab == RetValTracked 1017 ? NullabilityOfReturn->getNullabilitySource() 1018 : Message->getInstanceReceiver(); 1019 State = State->set<NullabilityMap>( 1020 ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource)); 1021 C.addTransition(State); 1022 } 1023 return; 1024 } 1025 1026 // No tracked information. Use static type information for return value. 1027 Nullability RetNullability = getNullabilityAnnotation(RetType); 1028 1029 // Properties might be computed, which means the property value could 1030 // theoretically change between calls even in commonly-observed cases like 1031 // this: 1032 // 1033 // if (foo.prop) { // ok, it's nonnull here... 1034 // [bar doStuffWithNonnullVal:foo.prop]; // ...but what about 1035 // here? 1036 // } 1037 // 1038 // If the property is nullable-annotated, a naive analysis would lead to many 1039 // false positives despite the presence of probably-correct nil-checks. To 1040 // reduce the false positive rate, we maintain a history of the most recently 1041 // observed property value. For each property access, if the prior value has 1042 // been constrained to be not nil then we will conservatively assume that the 1043 // next access can be inferred as nonnull. 1044 if (RetNullability != Nullability::Nonnull && 1045 M.getMessageKind() == OCM_PropertyAccess && !C.wasInlined) { 1046 bool LookupResolved = false; 1047 if (const MemRegion *ReceiverRegion = getTrackRegion(M.getReceiverSVal())) { 1048 if (IdentifierInfo *Ident = M.getSelector().getIdentifierInfoForSlot(0)) { 1049 LookupResolved = true; 1050 ObjectPropPair Key = std::make_pair(ReceiverRegion, Ident); 1051 const ConstrainedPropertyVal *PrevPropVal = 1052 State->get<PropertyAccessesMap>(Key); 1053 if (PrevPropVal && PrevPropVal->isConstrainedNonnull) { 1054 RetNullability = Nullability::Nonnull; 1055 } else { 1056 // If a previous property access was constrained as nonnull, we hold 1057 // on to that constraint (effectively inferring that all subsequent 1058 // accesses on that code path can be inferred as nonnull). If the 1059 // previous property access was *not* constrained as nonnull, then 1060 // let's throw it away in favor of keeping the SVal associated with 1061 // this more recent access. 1062 if (auto ReturnSVal = 1063 M.getReturnValue().getAs<DefinedOrUnknownSVal>()) { 1064 State = State->set<PropertyAccessesMap>( 1065 Key, ConstrainedPropertyVal(*ReturnSVal)); 1066 } 1067 } 1068 } 1069 } 1070 1071 if (!LookupResolved) { 1072 // Fallback: err on the side of suppressing the false positive. 1073 RetNullability = Nullability::Nonnull; 1074 } 1075 } 1076 1077 Nullability ComputedNullab = getMostNullable(RetNullability, SelfNullability); 1078 if (ComputedNullab == Nullability::Nullable) { 1079 const Stmt *NullabilitySource = ComputedNullab == RetNullability 1080 ? Message 1081 : Message->getInstanceReceiver(); 1082 State = State->set<NullabilityMap>( 1083 ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource)); 1084 C.addTransition(State); 1085 } 1086 } 1087 1088 /// Explicit casts are trusted. If there is a disagreement in the nullability 1089 /// annotations in the destination and the source or '0' is casted to nonnull 1090 /// track the value as having contraditory nullability. This will allow users to 1091 /// suppress warnings. 1092 void NullabilityChecker::checkPostStmt(const ExplicitCastExpr *CE, 1093 CheckerContext &C) const { 1094 QualType OriginType = CE->getSubExpr()->getType(); 1095 QualType DestType = CE->getType(); 1096 if (!isValidPointerType(OriginType)) 1097 return; 1098 if (!isValidPointerType(DestType)) 1099 return; 1100 1101 ProgramStateRef State = C.getState(); 1102 if (State->get<InvariantViolated>()) 1103 return; 1104 1105 Nullability DestNullability = getNullabilityAnnotation(DestType); 1106 1107 // No explicit nullability in the destination type, so this cast does not 1108 // change the nullability. 1109 if (DestNullability == Nullability::Unspecified) 1110 return; 1111 1112 auto RegionSVal = C.getSVal(CE).getAs<DefinedOrUnknownSVal>(); 1113 const MemRegion *Region = getTrackRegion(*RegionSVal); 1114 if (!Region) 1115 return; 1116 1117 // When 0 is converted to nonnull mark it as contradicted. 1118 if (DestNullability == Nullability::Nonnull) { 1119 NullConstraint Nullness = getNullConstraint(*RegionSVal, State); 1120 if (Nullness == NullConstraint::IsNull) { 1121 State = State->set<NullabilityMap>(Region, Nullability::Contradicted); 1122 C.addTransition(State); 1123 return; 1124 } 1125 } 1126 1127 const NullabilityState *TrackedNullability = 1128 State->get<NullabilityMap>(Region); 1129 1130 if (!TrackedNullability) { 1131 if (DestNullability != Nullability::Nullable) 1132 return; 1133 State = State->set<NullabilityMap>(Region, 1134 NullabilityState(DestNullability, CE)); 1135 C.addTransition(State); 1136 return; 1137 } 1138 1139 if (TrackedNullability->getValue() != DestNullability && 1140 TrackedNullability->getValue() != Nullability::Contradicted) { 1141 State = State->set<NullabilityMap>(Region, Nullability::Contradicted); 1142 C.addTransition(State); 1143 } 1144 } 1145 1146 /// For a given statement performing a bind, attempt to syntactically 1147 /// match the expression resulting in the bound value. 1148 static const Expr * matchValueExprForBind(const Stmt *S) { 1149 // For `x = e` the value expression is the right-hand side. 1150 if (auto *BinOp = dyn_cast<BinaryOperator>(S)) { 1151 if (BinOp->getOpcode() == BO_Assign) 1152 return BinOp->getRHS(); 1153 } 1154 1155 // For `int x = e` the value expression is the initializer. 1156 if (auto *DS = dyn_cast<DeclStmt>(S)) { 1157 if (DS->isSingleDecl()) { 1158 auto *VD = dyn_cast<VarDecl>(DS->getSingleDecl()); 1159 if (!VD) 1160 return nullptr; 1161 1162 if (const Expr *Init = VD->getInit()) 1163 return Init; 1164 } 1165 } 1166 1167 return nullptr; 1168 } 1169 1170 /// Returns true if \param S is a DeclStmt for a local variable that 1171 /// ObjC automated reference counting initialized with zero. 1172 static bool isARCNilInitializedLocal(CheckerContext &C, const Stmt *S) { 1173 // We suppress diagnostics for ARC zero-initialized _Nonnull locals. This 1174 // prevents false positives when a _Nonnull local variable cannot be 1175 // initialized with an initialization expression: 1176 // NSString * _Nonnull s; // no-warning 1177 // @autoreleasepool { 1178 // s = ... 1179 // } 1180 // 1181 // FIXME: We should treat implicitly zero-initialized _Nonnull locals as 1182 // uninitialized in Sema's UninitializedValues analysis to warn when a use of 1183 // the zero-initialized definition will unexpectedly yield nil. 1184 1185 // Locals are only zero-initialized when automated reference counting 1186 // is turned on. 1187 if (!C.getASTContext().getLangOpts().ObjCAutoRefCount) 1188 return false; 1189 1190 auto *DS = dyn_cast<DeclStmt>(S); 1191 if (!DS || !DS->isSingleDecl()) 1192 return false; 1193 1194 auto *VD = dyn_cast<VarDecl>(DS->getSingleDecl()); 1195 if (!VD) 1196 return false; 1197 1198 // Sema only zero-initializes locals with ObjCLifetimes. 1199 if(!VD->getType().getQualifiers().hasObjCLifetime()) 1200 return false; 1201 1202 const Expr *Init = VD->getInit(); 1203 assert(Init && "ObjC local under ARC without initializer"); 1204 1205 // Return false if the local is explicitly initialized (e.g., with '= nil'). 1206 if (!isa<ImplicitValueInitExpr>(Init)) 1207 return false; 1208 1209 return true; 1210 } 1211 1212 /// Propagate the nullability information through binds and warn when nullable 1213 /// pointer or null symbol is assigned to a pointer with a nonnull type. 1214 void NullabilityChecker::checkBind(SVal L, SVal V, const Stmt *S, 1215 CheckerContext &C) const { 1216 const TypedValueRegion *TVR = 1217 dyn_cast_or_null<TypedValueRegion>(L.getAsRegion()); 1218 if (!TVR) 1219 return; 1220 1221 QualType LocType = TVR->getValueType(); 1222 if (!isValidPointerType(LocType)) 1223 return; 1224 1225 ProgramStateRef State = C.getState(); 1226 if (State->get<InvariantViolated>()) 1227 return; 1228 1229 auto ValDefOrUnknown = V.getAs<DefinedOrUnknownSVal>(); 1230 if (!ValDefOrUnknown) 1231 return; 1232 1233 NullConstraint RhsNullness = getNullConstraint(*ValDefOrUnknown, State); 1234 1235 Nullability ValNullability = Nullability::Unspecified; 1236 if (SymbolRef Sym = ValDefOrUnknown->getAsSymbol()) 1237 ValNullability = getNullabilityAnnotation(Sym->getType()); 1238 1239 Nullability LocNullability = getNullabilityAnnotation(LocType); 1240 1241 // If the type of the RHS expression is nonnull, don't warn. This 1242 // enables explicit suppression with a cast to nonnull. 1243 Nullability ValueExprTypeLevelNullability = Nullability::Unspecified; 1244 const Expr *ValueExpr = matchValueExprForBind(S); 1245 if (ValueExpr) { 1246 ValueExprTypeLevelNullability = 1247 getNullabilityAnnotation(lookThroughImplicitCasts(ValueExpr)->getType()); 1248 } 1249 1250 bool NullAssignedToNonNull = (LocNullability == Nullability::Nonnull && 1251 RhsNullness == NullConstraint::IsNull); 1252 if (ChecksEnabled[CK_NullPassedToNonnull] && NullAssignedToNonNull && 1253 ValNullability != Nullability::Nonnull && 1254 ValueExprTypeLevelNullability != Nullability::Nonnull && 1255 !isARCNilInitializedLocal(C, S)) { 1256 static CheckerProgramPointTag Tag(this, "NullPassedToNonnull"); 1257 ExplodedNode *N = C.generateErrorNode(State, &Tag); 1258 if (!N) 1259 return; 1260 1261 1262 const Stmt *ValueStmt = S; 1263 if (ValueExpr) 1264 ValueStmt = ValueExpr; 1265 1266 SmallString<256> SBuf; 1267 llvm::raw_svector_ostream OS(SBuf); 1268 OS << (LocType->isObjCObjectPointerType() ? "nil" : "Null"); 1269 OS << " assigned to a pointer which is expected to have non-null value"; 1270 reportBugIfInvariantHolds(OS.str(), ErrorKind::NilAssignedToNonnull, 1271 CK_NullPassedToNonnull, N, nullptr, C, ValueStmt); 1272 return; 1273 } 1274 1275 // If null was returned from a non-null function, mark the nullability 1276 // invariant as violated even if the diagnostic was suppressed. 1277 if (NullAssignedToNonNull) { 1278 State = State->set<InvariantViolated>(true); 1279 C.addTransition(State); 1280 return; 1281 } 1282 1283 // Intentionally missing case: '0' is bound to a reference. It is handled by 1284 // the DereferenceChecker. 1285 1286 const MemRegion *ValueRegion = getTrackRegion(*ValDefOrUnknown); 1287 if (!ValueRegion) 1288 return; 1289 1290 const NullabilityState *TrackedNullability = 1291 State->get<NullabilityMap>(ValueRegion); 1292 1293 if (TrackedNullability) { 1294 if (RhsNullness == NullConstraint::IsNotNull || 1295 TrackedNullability->getValue() != Nullability::Nullable) 1296 return; 1297 if (ChecksEnabled[CK_NullablePassedToNonnull] && 1298 LocNullability == Nullability::Nonnull) { 1299 static CheckerProgramPointTag Tag(this, "NullablePassedToNonnull"); 1300 ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag); 1301 reportBugIfInvariantHolds("Nullable pointer is assigned to a pointer " 1302 "which is expected to have non-null value", 1303 ErrorKind::NullableAssignedToNonnull, 1304 CK_NullablePassedToNonnull, N, ValueRegion, C); 1305 } 1306 return; 1307 } 1308 1309 const auto *BinOp = dyn_cast<BinaryOperator>(S); 1310 1311 if (ValNullability == Nullability::Nullable) { 1312 // Trust the static information of the value more than the static 1313 // information on the location. 1314 const Stmt *NullabilitySource = BinOp ? BinOp->getRHS() : S; 1315 State = State->set<NullabilityMap>( 1316 ValueRegion, NullabilityState(ValNullability, NullabilitySource)); 1317 C.addTransition(State); 1318 return; 1319 } 1320 1321 if (LocNullability == Nullability::Nullable) { 1322 const Stmt *NullabilitySource = BinOp ? BinOp->getLHS() : S; 1323 State = State->set<NullabilityMap>( 1324 ValueRegion, NullabilityState(LocNullability, NullabilitySource)); 1325 C.addTransition(State); 1326 } 1327 } 1328 1329 void NullabilityChecker::printState(raw_ostream &Out, ProgramStateRef State, 1330 const char *NL, const char *Sep) const { 1331 1332 NullabilityMapTy B = State->get<NullabilityMap>(); 1333 1334 if (State->get<InvariantViolated>()) 1335 Out << Sep << NL 1336 << "Nullability invariant was violated, warnings suppressed." << NL; 1337 1338 if (B.isEmpty()) 1339 return; 1340 1341 if (!State->get<InvariantViolated>()) 1342 Out << Sep << NL; 1343 1344 for (NullabilityMapTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { 1345 Out << I->first << " : "; 1346 I->second.print(Out); 1347 Out << NL; 1348 } 1349 } 1350 1351 void ento::registerNullabilityBase(CheckerManager &mgr) { 1352 mgr.registerChecker<NullabilityChecker>(); 1353 } 1354 1355 bool ento::shouldRegisterNullabilityBase(const CheckerManager &mgr) { 1356 return true; 1357 } 1358 1359 #define REGISTER_CHECKER(name, trackingRequired) \ 1360 void ento::register##name##Checker(CheckerManager &mgr) { \ 1361 NullabilityChecker *checker = mgr.getChecker<NullabilityChecker>(); \ 1362 checker->ChecksEnabled[NullabilityChecker::CK_##name] = true; \ 1363 checker->CheckNames[NullabilityChecker::CK_##name] = \ 1364 mgr.getCurrentCheckerName(); \ 1365 checker->NeedTracking = checker->NeedTracking || trackingRequired; \ 1366 checker->NoDiagnoseCallsToSystemHeaders = \ 1367 checker->NoDiagnoseCallsToSystemHeaders || \ 1368 mgr.getAnalyzerOptions().getCheckerBooleanOption( \ 1369 checker, "NoDiagnoseCallsToSystemHeaders", true); \ 1370 } \ 1371 \ 1372 bool ento::shouldRegister##name##Checker(const CheckerManager &mgr) { \ 1373 return true; \ 1374 } 1375 1376 // The checks are likely to be turned on by default and it is possible to do 1377 // them without tracking any nullability related information. As an optimization 1378 // no nullability information will be tracked when only these two checks are 1379 // enables. 1380 REGISTER_CHECKER(NullPassedToNonnull, false) 1381 REGISTER_CHECKER(NullReturnedFromNonnull, false) 1382 1383 REGISTER_CHECKER(NullableDereferenced, true) 1384 REGISTER_CHECKER(NullablePassedToNonnull, true) 1385 REGISTER_CHECKER(NullableReturnedFromNonnull, true) 1386