1 //===-- NullabilityChecker.cpp - Nullability checker ----------------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This checker tries to find nullability violations. There are several kinds of 10 // possible violations: 11 // * Null pointer is passed to a pointer which has a _Nonnull type. 12 // * Null pointer is returned from a function which has a _Nonnull return type. 13 // * Nullable pointer is passed to a pointer which has a _Nonnull type. 14 // * Nullable pointer is returned from a function which has a _Nonnull return 15 // type. 16 // * Nullable pointer is dereferenced. 17 // 18 // This checker propagates the nullability information of the pointers and looks 19 // for the patterns that are described above. Explicit casts are trusted and are 20 // considered a way to suppress false positives for this checker. The other way 21 // to suppress warnings would be to add asserts or guarding if statements to the 22 // code. In addition to the nullability propagation this checker also uses some 23 // heuristics to suppress potential false positives. 24 // 25 //===----------------------------------------------------------------------===// 26 27 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 28 29 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 30 #include "clang/StaticAnalyzer/Core/Checker.h" 31 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 32 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" 33 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 34 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 35 36 #include "llvm/ADT/StringExtras.h" 37 #include "llvm/Support/Path.h" 38 39 using namespace clang; 40 using namespace ento; 41 42 namespace { 43 44 /// Returns the most nullable nullability. This is used for message expressions 45 /// like [receiver method], where the nullability of this expression is either 46 /// the nullability of the receiver or the nullability of the return type of the 47 /// method, depending on which is more nullable. Contradicted is considered to 48 /// be the most nullable, to avoid false positive results. 49 Nullability getMostNullable(Nullability Lhs, Nullability Rhs) { 50 return static_cast<Nullability>( 51 std::min(static_cast<char>(Lhs), static_cast<char>(Rhs))); 52 } 53 54 const char *getNullabilityString(Nullability Nullab) { 55 switch (Nullab) { 56 case Nullability::Contradicted: 57 return "contradicted"; 58 case Nullability::Nullable: 59 return "nullable"; 60 case Nullability::Unspecified: 61 return "unspecified"; 62 case Nullability::Nonnull: 63 return "nonnull"; 64 } 65 llvm_unreachable("Unexpected enumeration."); 66 return ""; 67 } 68 69 // These enums are used as an index to ErrorMessages array. 70 enum class ErrorKind : int { 71 NilAssignedToNonnull, 72 NilPassedToNonnull, 73 NilReturnedToNonnull, 74 NullableAssignedToNonnull, 75 NullableReturnedToNonnull, 76 NullableDereferenced, 77 NullablePassedToNonnull 78 }; 79 80 class NullabilityChecker 81 : public Checker<check::Bind, check::PreCall, check::PreStmt<ReturnStmt>, 82 check::PostCall, check::PostStmt<ExplicitCastExpr>, 83 check::PostObjCMessage, check::DeadSymbols, 84 check::Event<ImplicitNullDerefEvent>> { 85 mutable std::unique_ptr<BugType> BT; 86 87 public: 88 // If true, the checker will not diagnose nullabilility issues for calls 89 // to system headers. This option is motivated by the observation that large 90 // projects may have many nullability warnings. These projects may 91 // find warnings about nullability annotations that they have explicitly 92 // added themselves higher priority to fix than warnings on calls to system 93 // libraries. 94 DefaultBool NoDiagnoseCallsToSystemHeaders; 95 96 void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const; 97 void checkPostStmt(const ExplicitCastExpr *CE, CheckerContext &C) const; 98 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 99 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const; 100 void checkPostCall(const CallEvent &Call, CheckerContext &C) const; 101 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 102 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; 103 void checkEvent(ImplicitNullDerefEvent Event) const; 104 105 void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, 106 const char *Sep) const override; 107 108 struct NullabilityChecksFilter { 109 DefaultBool CheckNullPassedToNonnull; 110 DefaultBool CheckNullReturnedFromNonnull; 111 DefaultBool CheckNullableDereferenced; 112 DefaultBool CheckNullablePassedToNonnull; 113 DefaultBool CheckNullableReturnedFromNonnull; 114 115 CheckerNameRef CheckNameNullPassedToNonnull; 116 CheckerNameRef CheckNameNullReturnedFromNonnull; 117 CheckerNameRef CheckNameNullableDereferenced; 118 CheckerNameRef CheckNameNullablePassedToNonnull; 119 CheckerNameRef CheckNameNullableReturnedFromNonnull; 120 }; 121 122 NullabilityChecksFilter Filter; 123 // When set to false no nullability information will be tracked in 124 // NullabilityMap. It is possible to catch errors like passing a null pointer 125 // to a callee that expects nonnull argument without the information that is 126 // stroed in the NullabilityMap. This is an optimization. 127 DefaultBool NeedTracking; 128 129 private: 130 class NullabilityBugVisitor : public BugReporterVisitor { 131 public: 132 NullabilityBugVisitor(const MemRegion *M) : Region(M) {} 133 134 void Profile(llvm::FoldingSetNodeID &ID) const override { 135 static int X = 0; 136 ID.AddPointer(&X); 137 ID.AddPointer(Region); 138 } 139 140 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 141 BugReporterContext &BRC, 142 PathSensitiveBugReport &BR) override; 143 144 private: 145 // The tracked region. 146 const MemRegion *Region; 147 }; 148 149 /// When any of the nonnull arguments of the analyzed function is null, do not 150 /// report anything and turn off the check. 151 /// 152 /// When \p SuppressPath is set to true, no more bugs will be reported on this 153 /// path by this checker. 154 void reportBugIfInvariantHolds(StringRef Msg, ErrorKind Error, 155 ExplodedNode *N, const MemRegion *Region, 156 CheckerContext &C, 157 const Stmt *ValueExpr = nullptr, 158 bool SuppressPath = false) const; 159 160 void reportBug(StringRef Msg, ErrorKind Error, ExplodedNode *N, 161 const MemRegion *Region, BugReporter &BR, 162 const Stmt *ValueExpr = nullptr) const { 163 if (!BT) 164 BT.reset(new BugType(this, "Nullability", categories::MemoryError)); 165 166 auto R = std::make_unique<PathSensitiveBugReport>(*BT, Msg, N); 167 if (Region) { 168 R->markInteresting(Region); 169 R->addVisitor(std::make_unique<NullabilityBugVisitor>(Region)); 170 } 171 if (ValueExpr) { 172 R->addRange(ValueExpr->getSourceRange()); 173 if (Error == ErrorKind::NilAssignedToNonnull || 174 Error == ErrorKind::NilPassedToNonnull || 175 Error == ErrorKind::NilReturnedToNonnull) 176 if (const auto *Ex = dyn_cast<Expr>(ValueExpr)) 177 bugreporter::trackExpressionValue(N, Ex, *R); 178 } 179 BR.emitReport(std::move(R)); 180 } 181 182 /// If an SVal wraps a region that should be tracked, it will return a pointer 183 /// to the wrapped region. Otherwise it will return a nullptr. 184 const SymbolicRegion *getTrackRegion(SVal Val, 185 bool CheckSuperRegion = false) const; 186 187 /// Returns true if the call is diagnosable in the current analyzer 188 /// configuration. 189 bool isDiagnosableCall(const CallEvent &Call) const { 190 if (NoDiagnoseCallsToSystemHeaders && Call.isInSystemHeader()) 191 return false; 192 193 return true; 194 } 195 }; 196 197 class NullabilityState { 198 public: 199 NullabilityState(Nullability Nullab, const Stmt *Source = nullptr) 200 : Nullab(Nullab), Source(Source) {} 201 202 const Stmt *getNullabilitySource() const { return Source; } 203 204 Nullability getValue() const { return Nullab; } 205 206 void Profile(llvm::FoldingSetNodeID &ID) const { 207 ID.AddInteger(static_cast<char>(Nullab)); 208 ID.AddPointer(Source); 209 } 210 211 void print(raw_ostream &Out) const { 212 Out << getNullabilityString(Nullab) << "\n"; 213 } 214 215 private: 216 Nullability Nullab; 217 // Source is the expression which determined the nullability. For example in a 218 // message like [nullable nonnull_returning] has nullable nullability, because 219 // the receiver is nullable. Here the receiver will be the source of the 220 // nullability. This is useful information when the diagnostics are generated. 221 const Stmt *Source; 222 }; 223 224 bool operator==(NullabilityState Lhs, NullabilityState Rhs) { 225 return Lhs.getValue() == Rhs.getValue() && 226 Lhs.getNullabilitySource() == Rhs.getNullabilitySource(); 227 } 228 229 } // end anonymous namespace 230 231 REGISTER_MAP_WITH_PROGRAMSTATE(NullabilityMap, const MemRegion *, 232 NullabilityState) 233 234 // We say "the nullability type invariant is violated" when a location with a 235 // non-null type contains NULL or a function with a non-null return type returns 236 // NULL. Violations of the nullability type invariant can be detected either 237 // directly (for example, when NULL is passed as an argument to a nonnull 238 // parameter) or indirectly (for example, when, inside a function, the 239 // programmer defensively checks whether a nonnull parameter contains NULL and 240 // finds that it does). 241 // 242 // As a matter of policy, the nullability checker typically warns on direct 243 // violations of the nullability invariant (although it uses various 244 // heuristics to suppress warnings in some cases) but will not warn if the 245 // invariant has already been violated along the path (either directly or 246 // indirectly). As a practical matter, this prevents the analyzer from 247 // (1) warning on defensive code paths where a nullability precondition is 248 // determined to have been violated, (2) warning additional times after an 249 // initial direct violation has been discovered, and (3) warning after a direct 250 // violation that has been implicitly or explicitly suppressed (for 251 // example, with a cast of NULL to _Nonnull). In essence, once an invariant 252 // violation is detected on a path, this checker will be essentially turned off 253 // for the rest of the analysis 254 // 255 // The analyzer takes this approach (rather than generating a sink node) to 256 // ensure coverage of defensive paths, which may be important for backwards 257 // compatibility in codebases that were developed without nullability in mind. 258 REGISTER_TRAIT_WITH_PROGRAMSTATE(InvariantViolated, bool) 259 260 enum class NullConstraint { IsNull, IsNotNull, Unknown }; 261 262 static NullConstraint getNullConstraint(DefinedOrUnknownSVal Val, 263 ProgramStateRef State) { 264 ConditionTruthVal Nullness = State->isNull(Val); 265 if (Nullness.isConstrainedFalse()) 266 return NullConstraint::IsNotNull; 267 if (Nullness.isConstrainedTrue()) 268 return NullConstraint::IsNull; 269 return NullConstraint::Unknown; 270 } 271 272 const SymbolicRegion * 273 NullabilityChecker::getTrackRegion(SVal Val, bool CheckSuperRegion) const { 274 if (!NeedTracking) 275 return nullptr; 276 277 auto RegionSVal = Val.getAs<loc::MemRegionVal>(); 278 if (!RegionSVal) 279 return nullptr; 280 281 const MemRegion *Region = RegionSVal->getRegion(); 282 283 if (CheckSuperRegion) { 284 if (auto FieldReg = Region->getAs<FieldRegion>()) 285 return dyn_cast<SymbolicRegion>(FieldReg->getSuperRegion()); 286 if (auto ElementReg = Region->getAs<ElementRegion>()) 287 return dyn_cast<SymbolicRegion>(ElementReg->getSuperRegion()); 288 } 289 290 return dyn_cast<SymbolicRegion>(Region); 291 } 292 293 PathDiagnosticPieceRef NullabilityChecker::NullabilityBugVisitor::VisitNode( 294 const ExplodedNode *N, BugReporterContext &BRC, 295 PathSensitiveBugReport &BR) { 296 ProgramStateRef State = N->getState(); 297 ProgramStateRef StatePrev = N->getFirstPred()->getState(); 298 299 const NullabilityState *TrackedNullab = State->get<NullabilityMap>(Region); 300 const NullabilityState *TrackedNullabPrev = 301 StatePrev->get<NullabilityMap>(Region); 302 if (!TrackedNullab) 303 return nullptr; 304 305 if (TrackedNullabPrev && 306 TrackedNullabPrev->getValue() == TrackedNullab->getValue()) 307 return nullptr; 308 309 // Retrieve the associated statement. 310 const Stmt *S = TrackedNullab->getNullabilitySource(); 311 if (!S || S->getBeginLoc().isInvalid()) { 312 S = N->getStmtForDiagnostics(); 313 } 314 315 if (!S) 316 return nullptr; 317 318 std::string InfoText = 319 (llvm::Twine("Nullability '") + 320 getNullabilityString(TrackedNullab->getValue()) + "' is inferred") 321 .str(); 322 323 // Generate the extra diagnostic. 324 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 325 N->getLocationContext()); 326 return std::make_shared<PathDiagnosticEventPiece>(Pos, InfoText, true); 327 } 328 329 /// Returns true when the value stored at the given location has been 330 /// constrained to null after being passed through an object of nonnnull type. 331 static bool checkValueAtLValForInvariantViolation(ProgramStateRef State, 332 SVal LV, QualType T) { 333 if (getNullabilityAnnotation(T) != Nullability::Nonnull) 334 return false; 335 336 auto RegionVal = LV.getAs<loc::MemRegionVal>(); 337 if (!RegionVal) 338 return false; 339 340 // If the value was constrained to null *after* it was passed through that 341 // location, it could not have been a concrete pointer *when* it was passed. 342 // In that case we would have handled the situation when the value was 343 // bound to that location, by emitting (or not emitting) a report. 344 // Therefore we are only interested in symbolic regions that can be either 345 // null or non-null depending on the value of their respective symbol. 346 auto StoredVal = State->getSVal(*RegionVal).getAs<loc::MemRegionVal>(); 347 if (!StoredVal || !isa<SymbolicRegion>(StoredVal->getRegion())) 348 return false; 349 350 if (getNullConstraint(*StoredVal, State) == NullConstraint::IsNull) 351 return true; 352 353 return false; 354 } 355 356 static bool 357 checkParamsForPreconditionViolation(ArrayRef<ParmVarDecl *> Params, 358 ProgramStateRef State, 359 const LocationContext *LocCtxt) { 360 for (const auto *ParamDecl : Params) { 361 if (ParamDecl->isParameterPack()) 362 break; 363 364 SVal LV = State->getLValue(ParamDecl, LocCtxt); 365 if (checkValueAtLValForInvariantViolation(State, LV, 366 ParamDecl->getType())) { 367 return true; 368 } 369 } 370 return false; 371 } 372 373 static bool 374 checkSelfIvarsForInvariantViolation(ProgramStateRef State, 375 const LocationContext *LocCtxt) { 376 auto *MD = dyn_cast<ObjCMethodDecl>(LocCtxt->getDecl()); 377 if (!MD || !MD->isInstanceMethod()) 378 return false; 379 380 const ImplicitParamDecl *SelfDecl = LocCtxt->getSelfDecl(); 381 if (!SelfDecl) 382 return false; 383 384 SVal SelfVal = State->getSVal(State->getRegion(SelfDecl, LocCtxt)); 385 386 const ObjCObjectPointerType *SelfType = 387 dyn_cast<ObjCObjectPointerType>(SelfDecl->getType()); 388 if (!SelfType) 389 return false; 390 391 const ObjCInterfaceDecl *ID = SelfType->getInterfaceDecl(); 392 if (!ID) 393 return false; 394 395 for (const auto *IvarDecl : ID->ivars()) { 396 SVal LV = State->getLValue(IvarDecl, SelfVal); 397 if (checkValueAtLValForInvariantViolation(State, LV, IvarDecl->getType())) { 398 return true; 399 } 400 } 401 return false; 402 } 403 404 static bool checkInvariantViolation(ProgramStateRef State, ExplodedNode *N, 405 CheckerContext &C) { 406 if (State->get<InvariantViolated>()) 407 return true; 408 409 const LocationContext *LocCtxt = C.getLocationContext(); 410 const Decl *D = LocCtxt->getDecl(); 411 if (!D) 412 return false; 413 414 ArrayRef<ParmVarDecl*> Params; 415 if (const auto *BD = dyn_cast<BlockDecl>(D)) 416 Params = BD->parameters(); 417 else if (const auto *FD = dyn_cast<FunctionDecl>(D)) 418 Params = FD->parameters(); 419 else if (const auto *MD = dyn_cast<ObjCMethodDecl>(D)) 420 Params = MD->parameters(); 421 else 422 return false; 423 424 if (checkParamsForPreconditionViolation(Params, State, LocCtxt) || 425 checkSelfIvarsForInvariantViolation(State, LocCtxt)) { 426 if (!N->isSink()) 427 C.addTransition(State->set<InvariantViolated>(true), N); 428 return true; 429 } 430 return false; 431 } 432 433 void NullabilityChecker::reportBugIfInvariantHolds(StringRef Msg, 434 ErrorKind Error, ExplodedNode *N, const MemRegion *Region, 435 CheckerContext &C, const Stmt *ValueExpr, bool SuppressPath) const { 436 ProgramStateRef OriginalState = N->getState(); 437 438 if (checkInvariantViolation(OriginalState, N, C)) 439 return; 440 if (SuppressPath) { 441 OriginalState = OriginalState->set<InvariantViolated>(true); 442 N = C.addTransition(OriginalState, N); 443 } 444 445 reportBug(Msg, Error, N, Region, C.getBugReporter(), ValueExpr); 446 } 447 448 /// Cleaning up the program state. 449 void NullabilityChecker::checkDeadSymbols(SymbolReaper &SR, 450 CheckerContext &C) const { 451 ProgramStateRef State = C.getState(); 452 NullabilityMapTy Nullabilities = State->get<NullabilityMap>(); 453 for (NullabilityMapTy::iterator I = Nullabilities.begin(), 454 E = Nullabilities.end(); 455 I != E; ++I) { 456 const auto *Region = I->first->getAs<SymbolicRegion>(); 457 assert(Region && "Non-symbolic region is tracked."); 458 if (SR.isDead(Region->getSymbol())) { 459 State = State->remove<NullabilityMap>(I->first); 460 } 461 } 462 // When one of the nonnull arguments are constrained to be null, nullability 463 // preconditions are violated. It is not enough to check this only when we 464 // actually report an error, because at that time interesting symbols might be 465 // reaped. 466 if (checkInvariantViolation(State, C.getPredecessor(), C)) 467 return; 468 C.addTransition(State); 469 } 470 471 /// This callback triggers when a pointer is dereferenced and the analyzer does 472 /// not know anything about the value of that pointer. When that pointer is 473 /// nullable, this code emits a warning. 474 void NullabilityChecker::checkEvent(ImplicitNullDerefEvent Event) const { 475 if (Event.SinkNode->getState()->get<InvariantViolated>()) 476 return; 477 478 const MemRegion *Region = 479 getTrackRegion(Event.Location, /*CheckSuperRegion=*/true); 480 if (!Region) 481 return; 482 483 ProgramStateRef State = Event.SinkNode->getState(); 484 const NullabilityState *TrackedNullability = 485 State->get<NullabilityMap>(Region); 486 487 if (!TrackedNullability) 488 return; 489 490 if (Filter.CheckNullableDereferenced && 491 TrackedNullability->getValue() == Nullability::Nullable) { 492 BugReporter &BR = *Event.BR; 493 // Do not suppress errors on defensive code paths, because dereferencing 494 // a nullable pointer is always an error. 495 if (Event.IsDirectDereference) 496 reportBug("Nullable pointer is dereferenced", 497 ErrorKind::NullableDereferenced, Event.SinkNode, Region, BR); 498 else { 499 reportBug("Nullable pointer is passed to a callee that requires a " 500 "non-null", ErrorKind::NullablePassedToNonnull, 501 Event.SinkNode, Region, BR); 502 } 503 } 504 } 505 506 /// Find the outermost subexpression of E that is not an implicit cast. 507 /// This looks through the implicit casts to _Nonnull that ARC adds to 508 /// return expressions of ObjC types when the return type of the function or 509 /// method is non-null but the express is not. 510 static const Expr *lookThroughImplicitCasts(const Expr *E) { 511 assert(E); 512 513 while (auto *ICE = dyn_cast<ImplicitCastExpr>(E)) { 514 E = ICE->getSubExpr(); 515 } 516 517 return E; 518 } 519 520 /// This method check when nullable pointer or null value is returned from a 521 /// function that has nonnull return type. 522 void NullabilityChecker::checkPreStmt(const ReturnStmt *S, 523 CheckerContext &C) const { 524 auto RetExpr = S->getRetValue(); 525 if (!RetExpr) 526 return; 527 528 if (!RetExpr->getType()->isAnyPointerType()) 529 return; 530 531 ProgramStateRef State = C.getState(); 532 if (State->get<InvariantViolated>()) 533 return; 534 535 auto RetSVal = C.getSVal(S).getAs<DefinedOrUnknownSVal>(); 536 if (!RetSVal) 537 return; 538 539 bool InSuppressedMethodFamily = false; 540 541 QualType RequiredRetType; 542 AnalysisDeclContext *DeclCtxt = 543 C.getLocationContext()->getAnalysisDeclContext(); 544 const Decl *D = DeclCtxt->getDecl(); 545 if (auto *MD = dyn_cast<ObjCMethodDecl>(D)) { 546 // HACK: This is a big hammer to avoid warning when there are defensive 547 // nil checks in -init and -copy methods. We should add more sophisticated 548 // logic here to suppress on common defensive idioms but still 549 // warn when there is a likely problem. 550 ObjCMethodFamily Family = MD->getMethodFamily(); 551 if (OMF_init == Family || OMF_copy == Family || OMF_mutableCopy == Family) 552 InSuppressedMethodFamily = true; 553 554 RequiredRetType = MD->getReturnType(); 555 } else if (auto *FD = dyn_cast<FunctionDecl>(D)) { 556 RequiredRetType = FD->getReturnType(); 557 } else { 558 return; 559 } 560 561 NullConstraint Nullness = getNullConstraint(*RetSVal, State); 562 563 Nullability RequiredNullability = getNullabilityAnnotation(RequiredRetType); 564 565 // If the returned value is null but the type of the expression 566 // generating it is nonnull then we will suppress the diagnostic. 567 // This enables explicit suppression when returning a nil literal in a 568 // function with a _Nonnull return type: 569 // return (NSString * _Nonnull)0; 570 Nullability RetExprTypeLevelNullability = 571 getNullabilityAnnotation(lookThroughImplicitCasts(RetExpr)->getType()); 572 573 bool NullReturnedFromNonNull = (RequiredNullability == Nullability::Nonnull && 574 Nullness == NullConstraint::IsNull); 575 if (Filter.CheckNullReturnedFromNonnull && 576 NullReturnedFromNonNull && 577 RetExprTypeLevelNullability != Nullability::Nonnull && 578 !InSuppressedMethodFamily && 579 C.getLocationContext()->inTopFrame()) { 580 static CheckerProgramPointTag Tag(this, "NullReturnedFromNonnull"); 581 ExplodedNode *N = C.generateErrorNode(State, &Tag); 582 if (!N) 583 return; 584 585 SmallString<256> SBuf; 586 llvm::raw_svector_ostream OS(SBuf); 587 OS << (RetExpr->getType()->isObjCObjectPointerType() ? "nil" : "Null"); 588 OS << " returned from a " << C.getDeclDescription(D) << 589 " that is expected to return a non-null value"; 590 reportBugIfInvariantHolds(OS.str(), 591 ErrorKind::NilReturnedToNonnull, N, nullptr, C, 592 RetExpr); 593 return; 594 } 595 596 // If null was returned from a non-null function, mark the nullability 597 // invariant as violated even if the diagnostic was suppressed. 598 if (NullReturnedFromNonNull) { 599 State = State->set<InvariantViolated>(true); 600 C.addTransition(State); 601 return; 602 } 603 604 const MemRegion *Region = getTrackRegion(*RetSVal); 605 if (!Region) 606 return; 607 608 const NullabilityState *TrackedNullability = 609 State->get<NullabilityMap>(Region); 610 if (TrackedNullability) { 611 Nullability TrackedNullabValue = TrackedNullability->getValue(); 612 if (Filter.CheckNullableReturnedFromNonnull && 613 Nullness != NullConstraint::IsNotNull && 614 TrackedNullabValue == Nullability::Nullable && 615 RequiredNullability == Nullability::Nonnull) { 616 static CheckerProgramPointTag Tag(this, "NullableReturnedFromNonnull"); 617 ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag); 618 619 SmallString<256> SBuf; 620 llvm::raw_svector_ostream OS(SBuf); 621 OS << "Nullable pointer is returned from a " << C.getDeclDescription(D) << 622 " that is expected to return a non-null value"; 623 624 reportBugIfInvariantHolds(OS.str(), 625 ErrorKind::NullableReturnedToNonnull, N, 626 Region, C); 627 } 628 return; 629 } 630 if (RequiredNullability == Nullability::Nullable) { 631 State = State->set<NullabilityMap>(Region, 632 NullabilityState(RequiredNullability, 633 S)); 634 C.addTransition(State); 635 } 636 } 637 638 /// This callback warns when a nullable pointer or a null value is passed to a 639 /// function that expects its argument to be nonnull. 640 void NullabilityChecker::checkPreCall(const CallEvent &Call, 641 CheckerContext &C) const { 642 if (!Call.getDecl()) 643 return; 644 645 ProgramStateRef State = C.getState(); 646 if (State->get<InvariantViolated>()) 647 return; 648 649 ProgramStateRef OrigState = State; 650 651 unsigned Idx = 0; 652 for (const ParmVarDecl *Param : Call.parameters()) { 653 if (Param->isParameterPack()) 654 break; 655 656 if (Idx >= Call.getNumArgs()) 657 break; 658 659 const Expr *ArgExpr = Call.getArgExpr(Idx); 660 auto ArgSVal = Call.getArgSVal(Idx++).getAs<DefinedOrUnknownSVal>(); 661 if (!ArgSVal) 662 continue; 663 664 if (!Param->getType()->isAnyPointerType() && 665 !Param->getType()->isReferenceType()) 666 continue; 667 668 NullConstraint Nullness = getNullConstraint(*ArgSVal, State); 669 670 Nullability RequiredNullability = 671 getNullabilityAnnotation(Param->getType()); 672 Nullability ArgExprTypeLevelNullability = 673 getNullabilityAnnotation(ArgExpr->getType()); 674 675 unsigned ParamIdx = Param->getFunctionScopeIndex() + 1; 676 677 if (Filter.CheckNullPassedToNonnull && Nullness == NullConstraint::IsNull && 678 ArgExprTypeLevelNullability != Nullability::Nonnull && 679 RequiredNullability == Nullability::Nonnull && 680 isDiagnosableCall(Call)) { 681 ExplodedNode *N = C.generateErrorNode(State); 682 if (!N) 683 return; 684 685 SmallString<256> SBuf; 686 llvm::raw_svector_ostream OS(SBuf); 687 OS << (Param->getType()->isObjCObjectPointerType() ? "nil" : "Null"); 688 OS << " passed to a callee that requires a non-null " << ParamIdx 689 << llvm::getOrdinalSuffix(ParamIdx) << " parameter"; 690 reportBugIfInvariantHolds(OS.str(), ErrorKind::NilPassedToNonnull, N, 691 nullptr, C, 692 ArgExpr, /*SuppressPath=*/false); 693 return; 694 } 695 696 const MemRegion *Region = getTrackRegion(*ArgSVal); 697 if (!Region) 698 continue; 699 700 const NullabilityState *TrackedNullability = 701 State->get<NullabilityMap>(Region); 702 703 if (TrackedNullability) { 704 if (Nullness == NullConstraint::IsNotNull || 705 TrackedNullability->getValue() != Nullability::Nullable) 706 continue; 707 708 if (Filter.CheckNullablePassedToNonnull && 709 RequiredNullability == Nullability::Nonnull && 710 isDiagnosableCall(Call)) { 711 ExplodedNode *N = C.addTransition(State); 712 SmallString<256> SBuf; 713 llvm::raw_svector_ostream OS(SBuf); 714 OS << "Nullable pointer is passed to a callee that requires a non-null " 715 << ParamIdx << llvm::getOrdinalSuffix(ParamIdx) << " parameter"; 716 reportBugIfInvariantHolds(OS.str(), 717 ErrorKind::NullablePassedToNonnull, N, 718 Region, C, ArgExpr, /*SuppressPath=*/true); 719 return; 720 } 721 if (Filter.CheckNullableDereferenced && 722 Param->getType()->isReferenceType()) { 723 ExplodedNode *N = C.addTransition(State); 724 reportBugIfInvariantHolds("Nullable pointer is dereferenced", 725 ErrorKind::NullableDereferenced, N, Region, 726 C, ArgExpr, /*SuppressPath=*/true); 727 return; 728 } 729 continue; 730 } 731 } 732 if (State != OrigState) 733 C.addTransition(State); 734 } 735 736 /// Suppress the nullability warnings for some functions. 737 void NullabilityChecker::checkPostCall(const CallEvent &Call, 738 CheckerContext &C) const { 739 auto Decl = Call.getDecl(); 740 if (!Decl) 741 return; 742 // ObjC Messages handles in a different callback. 743 if (Call.getKind() == CE_ObjCMessage) 744 return; 745 const FunctionType *FuncType = Decl->getFunctionType(); 746 if (!FuncType) 747 return; 748 QualType ReturnType = FuncType->getReturnType(); 749 if (!ReturnType->isAnyPointerType()) 750 return; 751 ProgramStateRef State = C.getState(); 752 if (State->get<InvariantViolated>()) 753 return; 754 755 const MemRegion *Region = getTrackRegion(Call.getReturnValue()); 756 if (!Region) 757 return; 758 759 // CG headers are misannotated. Do not warn for symbols that are the results 760 // of CG calls. 761 const SourceManager &SM = C.getSourceManager(); 762 StringRef FilePath = SM.getFilename(SM.getSpellingLoc(Decl->getBeginLoc())); 763 if (llvm::sys::path::filename(FilePath).startswith("CG")) { 764 State = State->set<NullabilityMap>(Region, Nullability::Contradicted); 765 C.addTransition(State); 766 return; 767 } 768 769 const NullabilityState *TrackedNullability = 770 State->get<NullabilityMap>(Region); 771 772 if (!TrackedNullability && 773 getNullabilityAnnotation(ReturnType) == Nullability::Nullable) { 774 State = State->set<NullabilityMap>(Region, Nullability::Nullable); 775 C.addTransition(State); 776 } 777 } 778 779 static Nullability getReceiverNullability(const ObjCMethodCall &M, 780 ProgramStateRef State) { 781 if (M.isReceiverSelfOrSuper()) { 782 // For super and super class receivers we assume that the receiver is 783 // nonnull. 784 return Nullability::Nonnull; 785 } 786 // Otherwise look up nullability in the state. 787 SVal Receiver = M.getReceiverSVal(); 788 if (auto DefOrUnknown = Receiver.getAs<DefinedOrUnknownSVal>()) { 789 // If the receiver is constrained to be nonnull, assume that it is nonnull 790 // regardless of its type. 791 NullConstraint Nullness = getNullConstraint(*DefOrUnknown, State); 792 if (Nullness == NullConstraint::IsNotNull) 793 return Nullability::Nonnull; 794 } 795 auto ValueRegionSVal = Receiver.getAs<loc::MemRegionVal>(); 796 if (ValueRegionSVal) { 797 const MemRegion *SelfRegion = ValueRegionSVal->getRegion(); 798 assert(SelfRegion); 799 800 const NullabilityState *TrackedSelfNullability = 801 State->get<NullabilityMap>(SelfRegion); 802 if (TrackedSelfNullability) 803 return TrackedSelfNullability->getValue(); 804 } 805 return Nullability::Unspecified; 806 } 807 808 /// Calculate the nullability of the result of a message expr based on the 809 /// nullability of the receiver, the nullability of the return value, and the 810 /// constraints. 811 void NullabilityChecker::checkPostObjCMessage(const ObjCMethodCall &M, 812 CheckerContext &C) const { 813 auto Decl = M.getDecl(); 814 if (!Decl) 815 return; 816 QualType RetType = Decl->getReturnType(); 817 if (!RetType->isAnyPointerType()) 818 return; 819 820 ProgramStateRef State = C.getState(); 821 if (State->get<InvariantViolated>()) 822 return; 823 824 const MemRegion *ReturnRegion = getTrackRegion(M.getReturnValue()); 825 if (!ReturnRegion) 826 return; 827 828 auto Interface = Decl->getClassInterface(); 829 auto Name = Interface ? Interface->getName() : ""; 830 // In order to reduce the noise in the diagnostics generated by this checker, 831 // some framework and programming style based heuristics are used. These 832 // heuristics are for Cocoa APIs which have NS prefix. 833 if (Name.startswith("NS")) { 834 // Developers rely on dynamic invariants such as an item should be available 835 // in a collection, or a collection is not empty often. Those invariants can 836 // not be inferred by any static analysis tool. To not to bother the users 837 // with too many false positives, every item retrieval function should be 838 // ignored for collections. The instance methods of dictionaries in Cocoa 839 // are either item retrieval related or not interesting nullability wise. 840 // Using this fact, to keep the code easier to read just ignore the return 841 // value of every instance method of dictionaries. 842 if (M.isInstanceMessage() && Name.contains("Dictionary")) { 843 State = 844 State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted); 845 C.addTransition(State); 846 return; 847 } 848 // For similar reasons ignore some methods of Cocoa arrays. 849 StringRef FirstSelectorSlot = M.getSelector().getNameForSlot(0); 850 if (Name.contains("Array") && 851 (FirstSelectorSlot == "firstObject" || 852 FirstSelectorSlot == "lastObject")) { 853 State = 854 State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted); 855 C.addTransition(State); 856 return; 857 } 858 859 // Encoding related methods of string should not fail when lossless 860 // encodings are used. Using lossless encodings is so frequent that ignoring 861 // this class of methods reduced the emitted diagnostics by about 30% on 862 // some projects (and all of that was false positives). 863 if (Name.contains("String")) { 864 for (auto Param : M.parameters()) { 865 if (Param->getName() == "encoding") { 866 State = State->set<NullabilityMap>(ReturnRegion, 867 Nullability::Contradicted); 868 C.addTransition(State); 869 return; 870 } 871 } 872 } 873 } 874 875 const ObjCMessageExpr *Message = M.getOriginExpr(); 876 Nullability SelfNullability = getReceiverNullability(M, State); 877 878 const NullabilityState *NullabilityOfReturn = 879 State->get<NullabilityMap>(ReturnRegion); 880 881 if (NullabilityOfReturn) { 882 // When we have a nullability tracked for the return value, the nullability 883 // of the expression will be the most nullable of the receiver and the 884 // return value. 885 Nullability RetValTracked = NullabilityOfReturn->getValue(); 886 Nullability ComputedNullab = 887 getMostNullable(RetValTracked, SelfNullability); 888 if (ComputedNullab != RetValTracked && 889 ComputedNullab != Nullability::Unspecified) { 890 const Stmt *NullabilitySource = 891 ComputedNullab == RetValTracked 892 ? NullabilityOfReturn->getNullabilitySource() 893 : Message->getInstanceReceiver(); 894 State = State->set<NullabilityMap>( 895 ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource)); 896 C.addTransition(State); 897 } 898 return; 899 } 900 901 // No tracked information. Use static type information for return value. 902 Nullability RetNullability = getNullabilityAnnotation(RetType); 903 904 // Properties might be computed. For this reason the static analyzer creates a 905 // new symbol each time an unknown property is read. To avoid false pozitives 906 // do not treat unknown properties as nullable, even when they explicitly 907 // marked nullable. 908 if (M.getMessageKind() == OCM_PropertyAccess && !C.wasInlined) 909 RetNullability = Nullability::Nonnull; 910 911 Nullability ComputedNullab = getMostNullable(RetNullability, SelfNullability); 912 if (ComputedNullab == Nullability::Nullable) { 913 const Stmt *NullabilitySource = ComputedNullab == RetNullability 914 ? Message 915 : Message->getInstanceReceiver(); 916 State = State->set<NullabilityMap>( 917 ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource)); 918 C.addTransition(State); 919 } 920 } 921 922 /// Explicit casts are trusted. If there is a disagreement in the nullability 923 /// annotations in the destination and the source or '0' is casted to nonnull 924 /// track the value as having contraditory nullability. This will allow users to 925 /// suppress warnings. 926 void NullabilityChecker::checkPostStmt(const ExplicitCastExpr *CE, 927 CheckerContext &C) const { 928 QualType OriginType = CE->getSubExpr()->getType(); 929 QualType DestType = CE->getType(); 930 if (!OriginType->isAnyPointerType()) 931 return; 932 if (!DestType->isAnyPointerType()) 933 return; 934 935 ProgramStateRef State = C.getState(); 936 if (State->get<InvariantViolated>()) 937 return; 938 939 Nullability DestNullability = getNullabilityAnnotation(DestType); 940 941 // No explicit nullability in the destination type, so this cast does not 942 // change the nullability. 943 if (DestNullability == Nullability::Unspecified) 944 return; 945 946 auto RegionSVal = C.getSVal(CE).getAs<DefinedOrUnknownSVal>(); 947 const MemRegion *Region = getTrackRegion(*RegionSVal); 948 if (!Region) 949 return; 950 951 // When 0 is converted to nonnull mark it as contradicted. 952 if (DestNullability == Nullability::Nonnull) { 953 NullConstraint Nullness = getNullConstraint(*RegionSVal, State); 954 if (Nullness == NullConstraint::IsNull) { 955 State = State->set<NullabilityMap>(Region, Nullability::Contradicted); 956 C.addTransition(State); 957 return; 958 } 959 } 960 961 const NullabilityState *TrackedNullability = 962 State->get<NullabilityMap>(Region); 963 964 if (!TrackedNullability) { 965 if (DestNullability != Nullability::Nullable) 966 return; 967 State = State->set<NullabilityMap>(Region, 968 NullabilityState(DestNullability, CE)); 969 C.addTransition(State); 970 return; 971 } 972 973 if (TrackedNullability->getValue() != DestNullability && 974 TrackedNullability->getValue() != Nullability::Contradicted) { 975 State = State->set<NullabilityMap>(Region, Nullability::Contradicted); 976 C.addTransition(State); 977 } 978 } 979 980 /// For a given statement performing a bind, attempt to syntactically 981 /// match the expression resulting in the bound value. 982 static const Expr * matchValueExprForBind(const Stmt *S) { 983 // For `x = e` the value expression is the right-hand side. 984 if (auto *BinOp = dyn_cast<BinaryOperator>(S)) { 985 if (BinOp->getOpcode() == BO_Assign) 986 return BinOp->getRHS(); 987 } 988 989 // For `int x = e` the value expression is the initializer. 990 if (auto *DS = dyn_cast<DeclStmt>(S)) { 991 if (DS->isSingleDecl()) { 992 auto *VD = dyn_cast<VarDecl>(DS->getSingleDecl()); 993 if (!VD) 994 return nullptr; 995 996 if (const Expr *Init = VD->getInit()) 997 return Init; 998 } 999 } 1000 1001 return nullptr; 1002 } 1003 1004 /// Returns true if \param S is a DeclStmt for a local variable that 1005 /// ObjC automated reference counting initialized with zero. 1006 static bool isARCNilInitializedLocal(CheckerContext &C, const Stmt *S) { 1007 // We suppress diagnostics for ARC zero-initialized _Nonnull locals. This 1008 // prevents false positives when a _Nonnull local variable cannot be 1009 // initialized with an initialization expression: 1010 // NSString * _Nonnull s; // no-warning 1011 // @autoreleasepool { 1012 // s = ... 1013 // } 1014 // 1015 // FIXME: We should treat implicitly zero-initialized _Nonnull locals as 1016 // uninitialized in Sema's UninitializedValues analysis to warn when a use of 1017 // the zero-initialized definition will unexpectedly yield nil. 1018 1019 // Locals are only zero-initialized when automated reference counting 1020 // is turned on. 1021 if (!C.getASTContext().getLangOpts().ObjCAutoRefCount) 1022 return false; 1023 1024 auto *DS = dyn_cast<DeclStmt>(S); 1025 if (!DS || !DS->isSingleDecl()) 1026 return false; 1027 1028 auto *VD = dyn_cast<VarDecl>(DS->getSingleDecl()); 1029 if (!VD) 1030 return false; 1031 1032 // Sema only zero-initializes locals with ObjCLifetimes. 1033 if(!VD->getType().getQualifiers().hasObjCLifetime()) 1034 return false; 1035 1036 const Expr *Init = VD->getInit(); 1037 assert(Init && "ObjC local under ARC without initializer"); 1038 1039 // Return false if the local is explicitly initialized (e.g., with '= nil'). 1040 if (!isa<ImplicitValueInitExpr>(Init)) 1041 return false; 1042 1043 return true; 1044 } 1045 1046 /// Propagate the nullability information through binds and warn when nullable 1047 /// pointer or null symbol is assigned to a pointer with a nonnull type. 1048 void NullabilityChecker::checkBind(SVal L, SVal V, const Stmt *S, 1049 CheckerContext &C) const { 1050 const TypedValueRegion *TVR = 1051 dyn_cast_or_null<TypedValueRegion>(L.getAsRegion()); 1052 if (!TVR) 1053 return; 1054 1055 QualType LocType = TVR->getValueType(); 1056 if (!LocType->isAnyPointerType()) 1057 return; 1058 1059 ProgramStateRef State = C.getState(); 1060 if (State->get<InvariantViolated>()) 1061 return; 1062 1063 auto ValDefOrUnknown = V.getAs<DefinedOrUnknownSVal>(); 1064 if (!ValDefOrUnknown) 1065 return; 1066 1067 NullConstraint RhsNullness = getNullConstraint(*ValDefOrUnknown, State); 1068 1069 Nullability ValNullability = Nullability::Unspecified; 1070 if (SymbolRef Sym = ValDefOrUnknown->getAsSymbol()) 1071 ValNullability = getNullabilityAnnotation(Sym->getType()); 1072 1073 Nullability LocNullability = getNullabilityAnnotation(LocType); 1074 1075 // If the type of the RHS expression is nonnull, don't warn. This 1076 // enables explicit suppression with a cast to nonnull. 1077 Nullability ValueExprTypeLevelNullability = Nullability::Unspecified; 1078 const Expr *ValueExpr = matchValueExprForBind(S); 1079 if (ValueExpr) { 1080 ValueExprTypeLevelNullability = 1081 getNullabilityAnnotation(lookThroughImplicitCasts(ValueExpr)->getType()); 1082 } 1083 1084 bool NullAssignedToNonNull = (LocNullability == Nullability::Nonnull && 1085 RhsNullness == NullConstraint::IsNull); 1086 if (Filter.CheckNullPassedToNonnull && 1087 NullAssignedToNonNull && 1088 ValNullability != Nullability::Nonnull && 1089 ValueExprTypeLevelNullability != Nullability::Nonnull && 1090 !isARCNilInitializedLocal(C, S)) { 1091 static CheckerProgramPointTag Tag(this, "NullPassedToNonnull"); 1092 ExplodedNode *N = C.generateErrorNode(State, &Tag); 1093 if (!N) 1094 return; 1095 1096 1097 const Stmt *ValueStmt = S; 1098 if (ValueExpr) 1099 ValueStmt = ValueExpr; 1100 1101 SmallString<256> SBuf; 1102 llvm::raw_svector_ostream OS(SBuf); 1103 OS << (LocType->isObjCObjectPointerType() ? "nil" : "Null"); 1104 OS << " assigned to a pointer which is expected to have non-null value"; 1105 reportBugIfInvariantHolds(OS.str(), 1106 ErrorKind::NilAssignedToNonnull, N, nullptr, C, 1107 ValueStmt); 1108 return; 1109 } 1110 1111 // If null was returned from a non-null function, mark the nullability 1112 // invariant as violated even if the diagnostic was suppressed. 1113 if (NullAssignedToNonNull) { 1114 State = State->set<InvariantViolated>(true); 1115 C.addTransition(State); 1116 return; 1117 } 1118 1119 // Intentionally missing case: '0' is bound to a reference. It is handled by 1120 // the DereferenceChecker. 1121 1122 const MemRegion *ValueRegion = getTrackRegion(*ValDefOrUnknown); 1123 if (!ValueRegion) 1124 return; 1125 1126 const NullabilityState *TrackedNullability = 1127 State->get<NullabilityMap>(ValueRegion); 1128 1129 if (TrackedNullability) { 1130 if (RhsNullness == NullConstraint::IsNotNull || 1131 TrackedNullability->getValue() != Nullability::Nullable) 1132 return; 1133 if (Filter.CheckNullablePassedToNonnull && 1134 LocNullability == Nullability::Nonnull) { 1135 static CheckerProgramPointTag Tag(this, "NullablePassedToNonnull"); 1136 ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag); 1137 reportBugIfInvariantHolds("Nullable pointer is assigned to a pointer " 1138 "which is expected to have non-null value", 1139 ErrorKind::NullableAssignedToNonnull, N, 1140 ValueRegion, C); 1141 } 1142 return; 1143 } 1144 1145 const auto *BinOp = dyn_cast<BinaryOperator>(S); 1146 1147 if (ValNullability == Nullability::Nullable) { 1148 // Trust the static information of the value more than the static 1149 // information on the location. 1150 const Stmt *NullabilitySource = BinOp ? BinOp->getRHS() : S; 1151 State = State->set<NullabilityMap>( 1152 ValueRegion, NullabilityState(ValNullability, NullabilitySource)); 1153 C.addTransition(State); 1154 return; 1155 } 1156 1157 if (LocNullability == Nullability::Nullable) { 1158 const Stmt *NullabilitySource = BinOp ? BinOp->getLHS() : S; 1159 State = State->set<NullabilityMap>( 1160 ValueRegion, NullabilityState(LocNullability, NullabilitySource)); 1161 C.addTransition(State); 1162 } 1163 } 1164 1165 void NullabilityChecker::printState(raw_ostream &Out, ProgramStateRef State, 1166 const char *NL, const char *Sep) const { 1167 1168 NullabilityMapTy B = State->get<NullabilityMap>(); 1169 1170 if (State->get<InvariantViolated>()) 1171 Out << Sep << NL 1172 << "Nullability invariant was violated, warnings suppressed." << NL; 1173 1174 if (B.isEmpty()) 1175 return; 1176 1177 if (!State->get<InvariantViolated>()) 1178 Out << Sep << NL; 1179 1180 for (NullabilityMapTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { 1181 Out << I->first << " : "; 1182 I->second.print(Out); 1183 Out << NL; 1184 } 1185 } 1186 1187 void ento::registerNullabilityBase(CheckerManager &mgr) { 1188 mgr.registerChecker<NullabilityChecker>(); 1189 } 1190 1191 bool ento::shouldRegisterNullabilityBase(const LangOptions &LO) { 1192 return true; 1193 } 1194 1195 #define REGISTER_CHECKER(name, trackingRequired) \ 1196 void ento::register##name##Checker(CheckerManager &mgr) { \ 1197 NullabilityChecker *checker = mgr.getChecker<NullabilityChecker>(); \ 1198 checker->Filter.Check##name = true; \ 1199 checker->Filter.CheckName##name = mgr.getCurrentCheckerName(); \ 1200 checker->NeedTracking = checker->NeedTracking || trackingRequired; \ 1201 checker->NoDiagnoseCallsToSystemHeaders = \ 1202 checker->NoDiagnoseCallsToSystemHeaders || \ 1203 mgr.getAnalyzerOptions().getCheckerBooleanOption( \ 1204 checker, "NoDiagnoseCallsToSystemHeaders", true); \ 1205 } \ 1206 \ 1207 bool ento::shouldRegister##name##Checker(const LangOptions &LO) { \ 1208 return true; \ 1209 } 1210 1211 // The checks are likely to be turned on by default and it is possible to do 1212 // them without tracking any nullability related information. As an optimization 1213 // no nullability information will be tracked when only these two checks are 1214 // enables. 1215 REGISTER_CHECKER(NullPassedToNonnull, false) 1216 REGISTER_CHECKER(NullReturnedFromNonnull, false) 1217 1218 REGISTER_CHECKER(NullableDereferenced, true) 1219 REGISTER_CHECKER(NullablePassedToNonnull, true) 1220 REGISTER_CHECKER(NullableReturnedFromNonnull, true) 1221