1 //===-- NullabilityChecker.cpp - Nullability checker ----------------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This checker tries to find nullability violations. There are several kinds of 10 // possible violations: 11 // * Null pointer is passed to a pointer which has a _Nonnull type. 12 // * Null pointer is returned from a function which has a _Nonnull return type. 13 // * Nullable pointer is passed to a pointer which has a _Nonnull type. 14 // * Nullable pointer is returned from a function which has a _Nonnull return 15 // type. 16 // * Nullable pointer is dereferenced. 17 // 18 // This checker propagates the nullability information of the pointers and looks 19 // for the patterns that are described above. Explicit casts are trusted and are 20 // considered a way to suppress false positives for this checker. The other way 21 // to suppress warnings would be to add asserts or guarding if statements to the 22 // code. In addition to the nullability propagation this checker also uses some 23 // heuristics to suppress potential false positives. 24 // 25 //===----------------------------------------------------------------------===// 26 27 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 28 29 #include "clang/Analysis/AnyCall.h" 30 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 31 #include "clang/StaticAnalyzer/Core/Checker.h" 32 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 33 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 34 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 35 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" 36 37 #include "llvm/ADT/STLExtras.h" 38 #include "llvm/ADT/StringExtras.h" 39 #include "llvm/Support/Path.h" 40 41 using namespace clang; 42 using namespace ento; 43 44 namespace { 45 46 /// Returns the most nullable nullability. This is used for message expressions 47 /// like [receiver method], where the nullability of this expression is either 48 /// the nullability of the receiver or the nullability of the return type of the 49 /// method, depending on which is more nullable. Contradicted is considered to 50 /// be the most nullable, to avoid false positive results. 51 Nullability getMostNullable(Nullability Lhs, Nullability Rhs) { 52 return static_cast<Nullability>( 53 std::min(static_cast<char>(Lhs), static_cast<char>(Rhs))); 54 } 55 56 const char *getNullabilityString(Nullability Nullab) { 57 switch (Nullab) { 58 case Nullability::Contradicted: 59 return "contradicted"; 60 case Nullability::Nullable: 61 return "nullable"; 62 case Nullability::Unspecified: 63 return "unspecified"; 64 case Nullability::Nonnull: 65 return "nonnull"; 66 } 67 llvm_unreachable("Unexpected enumeration."); 68 return ""; 69 } 70 71 // These enums are used as an index to ErrorMessages array. 72 // FIXME: ErrorMessages no longer exists, perhaps remove this as well? 73 enum class ErrorKind : int { 74 NilAssignedToNonnull, 75 NilPassedToNonnull, 76 NilReturnedToNonnull, 77 NullableAssignedToNonnull, 78 NullableReturnedToNonnull, 79 NullableDereferenced, 80 NullablePassedToNonnull 81 }; 82 83 class NullabilityChecker 84 : public CheckerFamily< 85 check::Bind, check::PreCall, check::PreStmt<ReturnStmt>, 86 check::PostCall, check::PostStmt<ExplicitCastExpr>, 87 check::PostObjCMessage, check::DeadSymbols, eval::Assume, 88 check::Location, check::Event<ImplicitNullDerefEvent>, 89 check::BeginFunction> { 90 91 public: 92 // If true, the checker will not diagnose nullabilility issues for calls 93 // to system headers. This option is motivated by the observation that large 94 // projects may have many nullability warnings. These projects may 95 // find warnings about nullability annotations that they have explicitly 96 // added themselves higher priority to fix than warnings on calls to system 97 // libraries. 98 bool NoDiagnoseCallsToSystemHeaders = false; 99 100 void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const; 101 void checkPostStmt(const ExplicitCastExpr *CE, CheckerContext &C) const; 102 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 103 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const; 104 void checkPostCall(const CallEvent &Call, CheckerContext &C) const; 105 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 106 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; 107 void checkEvent(ImplicitNullDerefEvent Event) const; 108 void checkLocation(SVal Location, bool IsLoad, const Stmt *S, 109 CheckerContext &C) const; 110 void checkBeginFunction(CheckerContext &Ctx) const; 111 ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond, 112 bool Assumption) const; 113 114 void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, 115 const char *Sep) const override; 116 117 StringRef getDebugTag() const override { return "NullabilityChecker"; } 118 119 // FIXME: All bug types share the same Description ("Nullability") since the 120 // creation of this checker. We should write more descriptive descriptions... 121 // or just eliminate the Description field if it is meaningless? 122 CheckerFrontendWithBugType NullPassedToNonnull{"Nullability", 123 categories::MemoryError}; 124 CheckerFrontendWithBugType NullReturnedFromNonnull{"Nullability", 125 categories::MemoryError}; 126 CheckerFrontendWithBugType NullableDereferenced{"Nullability", 127 categories::MemoryError}; 128 CheckerFrontendWithBugType NullablePassedToNonnull{"Nullability", 129 categories::MemoryError}; 130 CheckerFrontendWithBugType NullableReturnedFromNonnull{ 131 "Nullability", categories::MemoryError}; 132 133 // When set to false no nullability information will be tracked in 134 // NullabilityMap. It is possible to catch errors like passing a null pointer 135 // to a callee that expects nonnull argument without the information that is 136 // stored in the NullabilityMap. This is an optimization. 137 bool NeedTracking = false; 138 139 private: 140 class NullabilityBugVisitor : public BugReporterVisitor { 141 public: 142 NullabilityBugVisitor(const MemRegion *M) : Region(M) {} 143 144 void Profile(llvm::FoldingSetNodeID &ID) const override { 145 static int X = 0; 146 ID.AddPointer(&X); 147 ID.AddPointer(Region); 148 } 149 150 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 151 BugReporterContext &BRC, 152 PathSensitiveBugReport &BR) override; 153 154 private: 155 // The tracked region. 156 const MemRegion *Region; 157 }; 158 159 /// When any of the nonnull arguments of the analyzed function is null, do not 160 /// report anything and turn off the check. 161 /// 162 /// When \p SuppressPath is set to true, no more bugs will be reported on this 163 /// path by this checker. 164 void reportBugIfInvariantHolds(StringRef Msg, ErrorKind Error, 165 const BugType &BT, ExplodedNode *N, 166 const MemRegion *Region, CheckerContext &C, 167 const Stmt *ValueExpr = nullptr, 168 bool SuppressPath = false) const; 169 170 void reportBug(StringRef Msg, ErrorKind Error, const BugType &BT, 171 ExplodedNode *N, const MemRegion *Region, BugReporter &BR, 172 const Stmt *ValueExpr = nullptr) const { 173 auto R = std::make_unique<PathSensitiveBugReport>(BT, Msg, N); 174 if (Region) { 175 R->markInteresting(Region); 176 R->addVisitor<NullabilityBugVisitor>(Region); 177 } 178 if (ValueExpr) { 179 R->addRange(ValueExpr->getSourceRange()); 180 if (Error == ErrorKind::NilAssignedToNonnull || 181 Error == ErrorKind::NilPassedToNonnull || 182 Error == ErrorKind::NilReturnedToNonnull) 183 if (const auto *Ex = dyn_cast<Expr>(ValueExpr)) 184 bugreporter::trackExpressionValue(N, Ex, *R); 185 } 186 BR.emitReport(std::move(R)); 187 } 188 189 /// If an SVal wraps a region that should be tracked, it will return a pointer 190 /// to the wrapped region. Otherwise it will return a nullptr. 191 const SymbolicRegion *getTrackRegion(SVal Val, 192 bool CheckSuperRegion = false) const; 193 194 /// Returns true if the call is diagnosable in the current analyzer 195 /// configuration. 196 bool isDiagnosableCall(const CallEvent &Call) const { 197 if (NoDiagnoseCallsToSystemHeaders && Call.isInSystemHeader()) 198 return false; 199 200 return true; 201 } 202 }; 203 204 class NullabilityState { 205 public: 206 NullabilityState(Nullability Nullab, const Stmt *Source = nullptr) 207 : Nullab(Nullab), Source(Source) {} 208 209 const Stmt *getNullabilitySource() const { return Source; } 210 211 Nullability getValue() const { return Nullab; } 212 213 void Profile(llvm::FoldingSetNodeID &ID) const { 214 ID.AddInteger(static_cast<char>(Nullab)); 215 ID.AddPointer(Source); 216 } 217 218 void print(raw_ostream &Out) const { 219 Out << getNullabilityString(Nullab) << "\n"; 220 } 221 222 private: 223 Nullability Nullab; 224 // Source is the expression which determined the nullability. For example in a 225 // message like [nullable nonnull_returning] has nullable nullability, because 226 // the receiver is nullable. Here the receiver will be the source of the 227 // nullability. This is useful information when the diagnostics are generated. 228 const Stmt *Source; 229 }; 230 231 bool operator==(NullabilityState Lhs, NullabilityState Rhs) { 232 return Lhs.getValue() == Rhs.getValue() && 233 Lhs.getNullabilitySource() == Rhs.getNullabilitySource(); 234 } 235 236 // For the purpose of tracking historical property accesses, the key for lookup 237 // is an object pointer (could be an instance or a class) paired with the unique 238 // identifier for the property being invoked on that object. 239 using ObjectPropPair = std::pair<const MemRegion *, const IdentifierInfo *>; 240 241 // Metadata associated with the return value from a recorded property access. 242 struct ConstrainedPropertyVal { 243 // This will reference the conjured return SVal for some call 244 // of the form [object property] 245 DefinedOrUnknownSVal Value; 246 247 // If the SVal has been determined to be nonnull, that is recorded here 248 bool isConstrainedNonnull; 249 250 ConstrainedPropertyVal(DefinedOrUnknownSVal SV) 251 : Value(SV), isConstrainedNonnull(false) {} 252 253 void Profile(llvm::FoldingSetNodeID &ID) const { 254 Value.Profile(ID); 255 ID.AddInteger(isConstrainedNonnull ? 1 : 0); 256 } 257 }; 258 259 bool operator==(const ConstrainedPropertyVal &Lhs, 260 const ConstrainedPropertyVal &Rhs) { 261 return Lhs.Value == Rhs.Value && 262 Lhs.isConstrainedNonnull == Rhs.isConstrainedNonnull; 263 } 264 265 } // end anonymous namespace 266 267 REGISTER_MAP_WITH_PROGRAMSTATE(NullabilityMap, const MemRegion *, 268 NullabilityState) 269 REGISTER_MAP_WITH_PROGRAMSTATE(PropertyAccessesMap, ObjectPropPair, 270 ConstrainedPropertyVal) 271 272 // We say "the nullability type invariant is violated" when a location with a 273 // non-null type contains NULL or a function with a non-null return type returns 274 // NULL. Violations of the nullability type invariant can be detected either 275 // directly (for example, when NULL is passed as an argument to a nonnull 276 // parameter) or indirectly (for example, when, inside a function, the 277 // programmer defensively checks whether a nonnull parameter contains NULL and 278 // finds that it does). 279 // 280 // As a matter of policy, the nullability checker typically warns on direct 281 // violations of the nullability invariant (although it uses various 282 // heuristics to suppress warnings in some cases) but will not warn if the 283 // invariant has already been violated along the path (either directly or 284 // indirectly). As a practical matter, this prevents the analyzer from 285 // (1) warning on defensive code paths where a nullability precondition is 286 // determined to have been violated, (2) warning additional times after an 287 // initial direct violation has been discovered, and (3) warning after a direct 288 // violation that has been implicitly or explicitly suppressed (for 289 // example, with a cast of NULL to _Nonnull). In essence, once an invariant 290 // violation is detected on a path, this checker will be essentially turned off 291 // for the rest of the analysis 292 // 293 // The analyzer takes this approach (rather than generating a sink node) to 294 // ensure coverage of defensive paths, which may be important for backwards 295 // compatibility in codebases that were developed without nullability in mind. 296 REGISTER_TRAIT_WITH_PROGRAMSTATE(InvariantViolated, bool) 297 298 enum class NullConstraint { IsNull, IsNotNull, Unknown }; 299 300 static NullConstraint getNullConstraint(DefinedOrUnknownSVal Val, 301 ProgramStateRef State) { 302 ConditionTruthVal Nullness = State->isNull(Val); 303 if (Nullness.isConstrainedFalse()) 304 return NullConstraint::IsNotNull; 305 if (Nullness.isConstrainedTrue()) 306 return NullConstraint::IsNull; 307 return NullConstraint::Unknown; 308 } 309 310 static bool isValidPointerType(QualType T) { 311 return T->isAnyPointerType() || T->isBlockPointerType(); 312 } 313 314 const SymbolicRegion * 315 NullabilityChecker::getTrackRegion(SVal Val, bool CheckSuperRegion) const { 316 if (!NeedTracking) 317 return nullptr; 318 319 auto RegionSVal = Val.getAs<loc::MemRegionVal>(); 320 if (!RegionSVal) 321 return nullptr; 322 323 const MemRegion *Region = RegionSVal->getRegion(); 324 325 if (CheckSuperRegion) { 326 if (const SubRegion *FieldReg = Region->getAs<FieldRegion>()) { 327 if (const auto *ER = dyn_cast<ElementRegion>(FieldReg->getSuperRegion())) 328 FieldReg = ER; 329 return dyn_cast<SymbolicRegion>(FieldReg->getSuperRegion()); 330 } 331 if (auto ElementReg = Region->getAs<ElementRegion>()) 332 return dyn_cast<SymbolicRegion>(ElementReg->getSuperRegion()); 333 } 334 335 return dyn_cast<SymbolicRegion>(Region); 336 } 337 338 PathDiagnosticPieceRef NullabilityChecker::NullabilityBugVisitor::VisitNode( 339 const ExplodedNode *N, BugReporterContext &BRC, 340 PathSensitiveBugReport &BR) { 341 ProgramStateRef State = N->getState(); 342 ProgramStateRef StatePrev = N->getFirstPred()->getState(); 343 344 const NullabilityState *TrackedNullab = State->get<NullabilityMap>(Region); 345 const NullabilityState *TrackedNullabPrev = 346 StatePrev->get<NullabilityMap>(Region); 347 if (!TrackedNullab) 348 return nullptr; 349 350 if (TrackedNullabPrev && 351 TrackedNullabPrev->getValue() == TrackedNullab->getValue()) 352 return nullptr; 353 354 // Retrieve the associated statement. 355 const Stmt *S = TrackedNullab->getNullabilitySource(); 356 if (!S || S->getBeginLoc().isInvalid()) { 357 S = N->getStmtForDiagnostics(); 358 } 359 360 if (!S) 361 return nullptr; 362 363 std::string InfoText = 364 (llvm::Twine("Nullability '") + 365 getNullabilityString(TrackedNullab->getValue()) + "' is inferred") 366 .str(); 367 368 // Generate the extra diagnostic. 369 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 370 N->getLocationContext()); 371 return std::make_shared<PathDiagnosticEventPiece>(Pos, InfoText, true); 372 } 373 374 /// Returns true when the value stored at the given location has been 375 /// constrained to null after being passed through an object of nonnnull type. 376 static bool checkValueAtLValForInvariantViolation(ProgramStateRef State, 377 SVal LV, QualType T) { 378 if (getNullabilityAnnotation(T) != Nullability::Nonnull) 379 return false; 380 381 auto RegionVal = LV.getAs<loc::MemRegionVal>(); 382 if (!RegionVal) 383 return false; 384 385 // If the value was constrained to null *after* it was passed through that 386 // location, it could not have been a concrete pointer *when* it was passed. 387 // In that case we would have handled the situation when the value was 388 // bound to that location, by emitting (or not emitting) a report. 389 // Therefore we are only interested in symbolic regions that can be either 390 // null or non-null depending on the value of their respective symbol. 391 auto StoredVal = State->getSVal(*RegionVal).getAs<loc::MemRegionVal>(); 392 if (!StoredVal || !isa<SymbolicRegion>(StoredVal->getRegion())) 393 return false; 394 395 if (getNullConstraint(*StoredVal, State) == NullConstraint::IsNull) 396 return true; 397 398 return false; 399 } 400 401 static bool 402 checkParamsForPreconditionViolation(ArrayRef<ParmVarDecl *> Params, 403 ProgramStateRef State, 404 const LocationContext *LocCtxt) { 405 for (const auto *ParamDecl : Params) { 406 if (ParamDecl->isParameterPack()) 407 break; 408 409 SVal LV = State->getLValue(ParamDecl, LocCtxt); 410 if (checkValueAtLValForInvariantViolation(State, LV, 411 ParamDecl->getType())) { 412 return true; 413 } 414 } 415 return false; 416 } 417 418 static bool 419 checkSelfIvarsForInvariantViolation(ProgramStateRef State, 420 const LocationContext *LocCtxt) { 421 auto *MD = dyn_cast<ObjCMethodDecl>(LocCtxt->getDecl()); 422 if (!MD || !MD->isInstanceMethod()) 423 return false; 424 425 const ImplicitParamDecl *SelfDecl = LocCtxt->getSelfDecl(); 426 if (!SelfDecl) 427 return false; 428 429 SVal SelfVal = State->getSVal(State->getRegion(SelfDecl, LocCtxt)); 430 431 const ObjCObjectPointerType *SelfType = 432 dyn_cast<ObjCObjectPointerType>(SelfDecl->getType()); 433 if (!SelfType) 434 return false; 435 436 const ObjCInterfaceDecl *ID = SelfType->getInterfaceDecl(); 437 if (!ID) 438 return false; 439 440 for (const auto *IvarDecl : ID->ivars()) { 441 SVal LV = State->getLValue(IvarDecl, SelfVal); 442 if (checkValueAtLValForInvariantViolation(State, LV, IvarDecl->getType())) { 443 return true; 444 } 445 } 446 return false; 447 } 448 449 static bool checkInvariantViolation(ProgramStateRef State, ExplodedNode *N, 450 CheckerContext &C) { 451 if (State->get<InvariantViolated>()) 452 return true; 453 454 const LocationContext *LocCtxt = C.getLocationContext(); 455 const Decl *D = LocCtxt->getDecl(); 456 if (!D) 457 return false; 458 459 ArrayRef<ParmVarDecl*> Params; 460 if (const auto *BD = dyn_cast<BlockDecl>(D)) 461 Params = BD->parameters(); 462 else if (const auto *FD = dyn_cast<FunctionDecl>(D)) 463 Params = FD->parameters(); 464 else if (const auto *MD = dyn_cast<ObjCMethodDecl>(D)) 465 Params = MD->parameters(); 466 else 467 return false; 468 469 if (checkParamsForPreconditionViolation(Params, State, LocCtxt) || 470 checkSelfIvarsForInvariantViolation(State, LocCtxt)) { 471 if (!N->isSink()) 472 C.addTransition(State->set<InvariantViolated>(true), N); 473 return true; 474 } 475 return false; 476 } 477 478 void NullabilityChecker::reportBugIfInvariantHolds( 479 StringRef Msg, ErrorKind Error, const BugType &BT, ExplodedNode *N, 480 const MemRegion *Region, CheckerContext &C, const Stmt *ValueExpr, 481 bool SuppressPath) const { 482 ProgramStateRef OriginalState = N->getState(); 483 484 if (checkInvariantViolation(OriginalState, N, C)) 485 return; 486 if (SuppressPath) { 487 OriginalState = OriginalState->set<InvariantViolated>(true); 488 N = C.addTransition(OriginalState, N); 489 } 490 491 reportBug(Msg, Error, BT, N, Region, C.getBugReporter(), ValueExpr); 492 } 493 494 /// Cleaning up the program state. 495 void NullabilityChecker::checkDeadSymbols(SymbolReaper &SR, 496 CheckerContext &C) const { 497 ProgramStateRef State = C.getState(); 498 NullabilityMapTy Nullabilities = State->get<NullabilityMap>(); 499 for (const MemRegion *Reg : llvm::make_first_range(Nullabilities)) { 500 const auto *Region = Reg->getAs<SymbolicRegion>(); 501 assert(Region && "Non-symbolic region is tracked."); 502 if (SR.isDead(Region->getSymbol())) { 503 State = State->remove<NullabilityMap>(Reg); 504 } 505 } 506 507 // When an object goes out of scope, we can free the history associated 508 // with any property accesses on that object 509 PropertyAccessesMapTy PropertyAccesses = State->get<PropertyAccessesMap>(); 510 for (ObjectPropPair PropKey : llvm::make_first_range(PropertyAccesses)) { 511 const MemRegion *ReceiverRegion = PropKey.first; 512 if (!SR.isLiveRegion(ReceiverRegion)) { 513 State = State->remove<PropertyAccessesMap>(PropKey); 514 } 515 } 516 517 // When one of the nonnull arguments are constrained to be null, nullability 518 // preconditions are violated. It is not enough to check this only when we 519 // actually report an error, because at that time interesting symbols might be 520 // reaped. 521 if (checkInvariantViolation(State, C.getPredecessor(), C)) 522 return; 523 C.addTransition(State); 524 } 525 526 /// This callback triggers when a pointer is dereferenced and the analyzer does 527 /// not know anything about the value of that pointer. When that pointer is 528 /// nullable, this code emits a warning. 529 void NullabilityChecker::checkEvent(ImplicitNullDerefEvent Event) const { 530 if (Event.SinkNode->getState()->get<InvariantViolated>()) 531 return; 532 533 const MemRegion *Region = 534 getTrackRegion(Event.Location, /*CheckSuperRegion=*/true); 535 if (!Region) 536 return; 537 538 ProgramStateRef State = Event.SinkNode->getState(); 539 const NullabilityState *TrackedNullability = 540 State->get<NullabilityMap>(Region); 541 542 if (!TrackedNullability) 543 return; 544 545 if (NullableDereferenced.isEnabled() && 546 TrackedNullability->getValue() == Nullability::Nullable) { 547 BugReporter &BR = *Event.BR; 548 // Do not suppress errors on defensive code paths, because dereferencing 549 // a nullable pointer is always an error. 550 if (Event.IsDirectDereference) 551 reportBug("Nullable pointer is dereferenced", 552 ErrorKind::NullableDereferenced, NullableDereferenced, 553 Event.SinkNode, Region, BR); 554 else { 555 reportBug("Nullable pointer is passed to a callee that requires a " 556 "non-null", 557 ErrorKind::NullablePassedToNonnull, NullableDereferenced, 558 Event.SinkNode, Region, BR); 559 } 560 } 561 } 562 563 void NullabilityChecker::checkBeginFunction(CheckerContext &C) const { 564 if (!C.inTopFrame()) 565 return; 566 567 const LocationContext *LCtx = C.getLocationContext(); 568 auto AbstractCall = AnyCall::forDecl(LCtx->getDecl()); 569 if (!AbstractCall || AbstractCall->parameters().empty()) 570 return; 571 572 ProgramStateRef State = C.getState(); 573 for (const ParmVarDecl *Param : AbstractCall->parameters()) { 574 if (!isValidPointerType(Param->getType())) 575 continue; 576 577 Nullability RequiredNullability = 578 getNullabilityAnnotation(Param->getType()); 579 if (RequiredNullability != Nullability::Nullable) 580 continue; 581 582 const VarRegion *ParamRegion = State->getRegion(Param, LCtx); 583 const MemRegion *ParamPointeeRegion = 584 State->getSVal(ParamRegion).getAsRegion(); 585 if (!ParamPointeeRegion) 586 continue; 587 588 State = State->set<NullabilityMap>(ParamPointeeRegion, 589 NullabilityState(RequiredNullability)); 590 } 591 C.addTransition(State); 592 } 593 594 // Whenever we see a load from a typed memory region that's been annotated as 595 // 'nonnull', we want to trust the user on that and assume that it is is indeed 596 // non-null. 597 // 598 // We do so even if the value is known to have been assigned to null. 599 // The user should be warned on assigning the null value to a non-null pointer 600 // as opposed to warning on the later dereference of this pointer. 601 // 602 // \code 603 // int * _Nonnull var = 0; // we want to warn the user here... 604 // // . . . 605 // *var = 42; // ...and not here 606 // \endcode 607 void NullabilityChecker::checkLocation(SVal Location, bool IsLoad, 608 const Stmt *S, 609 CheckerContext &Context) const { 610 // We should care only about loads. 611 // The main idea is to add a constraint whenever we're loading a value from 612 // an annotated pointer type. 613 if (!IsLoad) 614 return; 615 616 // Annotations that we want to consider make sense only for types. 617 const auto *Region = 618 dyn_cast_or_null<TypedValueRegion>(Location.getAsRegion()); 619 if (!Region) 620 return; 621 622 ProgramStateRef State = Context.getState(); 623 624 auto StoredVal = State->getSVal(Region).getAs<loc::MemRegionVal>(); 625 if (!StoredVal) 626 return; 627 628 Nullability NullabilityOfTheLoadedValue = 629 getNullabilityAnnotation(Region->getValueType()); 630 631 if (NullabilityOfTheLoadedValue == Nullability::Nonnull) { 632 // It doesn't matter what we think about this particular pointer, it should 633 // be considered non-null as annotated by the developer. 634 if (ProgramStateRef NewState = State->assume(*StoredVal, true)) { 635 Context.addTransition(NewState); 636 } 637 } 638 } 639 640 /// Find the outermost subexpression of E that is not an implicit cast. 641 /// This looks through the implicit casts to _Nonnull that ARC adds to 642 /// return expressions of ObjC types when the return type of the function or 643 /// method is non-null but the express is not. 644 static const Expr *lookThroughImplicitCasts(const Expr *E) { 645 return E->IgnoreImpCasts(); 646 } 647 648 /// This method check when nullable pointer or null value is returned from a 649 /// function that has nonnull return type. 650 void NullabilityChecker::checkPreStmt(const ReturnStmt *S, 651 CheckerContext &C) const { 652 auto RetExpr = S->getRetValue(); 653 if (!RetExpr) 654 return; 655 656 if (!isValidPointerType(RetExpr->getType())) 657 return; 658 659 ProgramStateRef State = C.getState(); 660 if (State->get<InvariantViolated>()) 661 return; 662 663 auto RetSVal = C.getSVal(S).getAs<DefinedOrUnknownSVal>(); 664 if (!RetSVal) 665 return; 666 667 bool InSuppressedMethodFamily = false; 668 669 QualType RequiredRetType; 670 AnalysisDeclContext *DeclCtxt = 671 C.getLocationContext()->getAnalysisDeclContext(); 672 const Decl *D = DeclCtxt->getDecl(); 673 if (auto *MD = dyn_cast<ObjCMethodDecl>(D)) { 674 // HACK: This is a big hammer to avoid warning when there are defensive 675 // nil checks in -init and -copy methods. We should add more sophisticated 676 // logic here to suppress on common defensive idioms but still 677 // warn when there is a likely problem. 678 ObjCMethodFamily Family = MD->getMethodFamily(); 679 if (OMF_init == Family || OMF_copy == Family || OMF_mutableCopy == Family) 680 InSuppressedMethodFamily = true; 681 682 RequiredRetType = MD->getReturnType(); 683 } else if (auto *FD = dyn_cast<FunctionDecl>(D)) { 684 RequiredRetType = FD->getReturnType(); 685 } else { 686 return; 687 } 688 689 NullConstraint Nullness = getNullConstraint(*RetSVal, State); 690 691 Nullability RequiredNullability = getNullabilityAnnotation(RequiredRetType); 692 if (const auto *FunDecl = C.getLocationContext()->getDecl(); 693 FunDecl && FunDecl->getAttr<ReturnsNonNullAttr>() && 694 (RequiredNullability == Nullability::Unspecified || 695 RequiredNullability == Nullability::Nullable)) { 696 // If a function is marked with the returns_nonnull attribute, 697 // the return value must be non-null. 698 RequiredNullability = Nullability::Nonnull; 699 } 700 701 // If the returned value is null but the type of the expression 702 // generating it is nonnull then we will suppress the diagnostic. 703 // This enables explicit suppression when returning a nil literal in a 704 // function with a _Nonnull return type: 705 // return (NSString * _Nonnull)0; 706 Nullability RetExprTypeLevelNullability = 707 getNullabilityAnnotation(lookThroughImplicitCasts(RetExpr)->getType()); 708 709 if (RequiredNullability == Nullability::Nonnull && 710 Nullness == NullConstraint::IsNull) { 711 if (NullReturnedFromNonnull.isEnabled() && 712 RetExprTypeLevelNullability != Nullability::Nonnull && 713 !InSuppressedMethodFamily) { 714 ExplodedNode *N = C.generateErrorNode(State); 715 if (!N) 716 return; 717 718 SmallString<256> SBuf; 719 llvm::raw_svector_ostream OS(SBuf); 720 OS << (RetExpr->getType()->isObjCObjectPointerType() ? "nil" : "Null"); 721 OS << " returned from a " << C.getDeclDescription(D) 722 << " that is expected to return a non-null value"; 723 reportBugIfInvariantHolds(OS.str(), ErrorKind::NilReturnedToNonnull, 724 NullReturnedFromNonnull, N, nullptr, C, 725 RetExpr); 726 return; 727 } 728 729 // If null was returned from a non-null function, mark the nullability 730 // invariant as violated even if the diagnostic was suppressed. 731 State = State->set<InvariantViolated>(true); 732 C.addTransition(State); 733 return; 734 } 735 736 const MemRegion *Region = getTrackRegion(*RetSVal); 737 if (!Region) 738 return; 739 740 const NullabilityState *TrackedNullability = 741 State->get<NullabilityMap>(Region); 742 if (TrackedNullability) { 743 Nullability TrackedNullabValue = TrackedNullability->getValue(); 744 if (NullableReturnedFromNonnull.isEnabled() && 745 Nullness != NullConstraint::IsNotNull && 746 TrackedNullabValue == Nullability::Nullable && 747 RequiredNullability == Nullability::Nonnull) { 748 ExplodedNode *N = C.addTransition(State, C.getPredecessor()); 749 750 SmallString<256> SBuf; 751 llvm::raw_svector_ostream OS(SBuf); 752 OS << "Nullable pointer is returned from a " << C.getDeclDescription(D) << 753 " that is expected to return a non-null value"; 754 755 reportBugIfInvariantHolds(OS.str(), ErrorKind::NullableReturnedToNonnull, 756 NullableReturnedFromNonnull, N, Region, C); 757 } 758 return; 759 } 760 if (RequiredNullability == Nullability::Nullable) { 761 State = State->set<NullabilityMap>(Region, 762 NullabilityState(RequiredNullability, 763 S)); 764 C.addTransition(State); 765 } 766 } 767 768 /// This callback warns when a nullable pointer or a null value is passed to a 769 /// function that expects its argument to be nonnull. 770 void NullabilityChecker::checkPreCall(const CallEvent &Call, 771 CheckerContext &C) const { 772 if (!Call.getDecl()) 773 return; 774 775 ProgramStateRef State = C.getState(); 776 if (State->get<InvariantViolated>()) 777 return; 778 779 ProgramStateRef OrigState = State; 780 781 unsigned Idx = 0; 782 for (const ParmVarDecl *Param : Call.parameters()) { 783 if (Param->isParameterPack()) 784 break; 785 786 if (Idx >= Call.getNumArgs()) 787 break; 788 789 const Expr *ArgExpr = Call.getArgExpr(Idx); 790 auto ArgSVal = Call.getArgSVal(Idx++).getAs<DefinedOrUnknownSVal>(); 791 if (!ArgSVal) 792 continue; 793 794 if (!isValidPointerType(Param->getType()) && 795 !Param->getType()->isReferenceType()) 796 continue; 797 798 NullConstraint Nullness = getNullConstraint(*ArgSVal, State); 799 800 Nullability RequiredNullability = 801 getNullabilityAnnotation(Param->getType()); 802 Nullability ArgExprTypeLevelNullability = 803 getNullabilityAnnotation(lookThroughImplicitCasts(ArgExpr)->getType()); 804 805 unsigned ParamIdx = Param->getFunctionScopeIndex() + 1; 806 807 if (NullPassedToNonnull.isEnabled() && Nullness == NullConstraint::IsNull && 808 ArgExprTypeLevelNullability != Nullability::Nonnull && 809 RequiredNullability == Nullability::Nonnull && 810 isDiagnosableCall(Call)) { 811 ExplodedNode *N = C.generateErrorNode(State); 812 if (!N) 813 return; 814 815 SmallString<256> SBuf; 816 llvm::raw_svector_ostream OS(SBuf); 817 OS << (Param->getType()->isObjCObjectPointerType() ? "nil" : "Null"); 818 OS << " passed to a callee that requires a non-null " << ParamIdx 819 << llvm::getOrdinalSuffix(ParamIdx) << " parameter"; 820 reportBugIfInvariantHolds(OS.str(), ErrorKind::NilPassedToNonnull, 821 NullPassedToNonnull, N, nullptr, C, ArgExpr, 822 /*SuppressPath=*/false); 823 return; 824 } 825 826 const MemRegion *Region = getTrackRegion(*ArgSVal); 827 if (!Region) 828 continue; 829 830 const NullabilityState *TrackedNullability = 831 State->get<NullabilityMap>(Region); 832 833 if (TrackedNullability) { 834 if (Nullness == NullConstraint::IsNotNull || 835 TrackedNullability->getValue() != Nullability::Nullable) 836 continue; 837 838 if (NullablePassedToNonnull.isEnabled() && 839 RequiredNullability == Nullability::Nonnull && 840 isDiagnosableCall(Call)) { 841 ExplodedNode *N = C.addTransition(State); 842 SmallString<256> SBuf; 843 llvm::raw_svector_ostream OS(SBuf); 844 OS << "Nullable pointer is passed to a callee that requires a non-null " 845 << ParamIdx << llvm::getOrdinalSuffix(ParamIdx) << " parameter"; 846 reportBugIfInvariantHolds(OS.str(), ErrorKind::NullablePassedToNonnull, 847 NullablePassedToNonnull, N, Region, C, 848 ArgExpr, /*SuppressPath=*/true); 849 return; 850 } 851 if (NullableDereferenced.isEnabled() && 852 Param->getType()->isReferenceType()) { 853 ExplodedNode *N = C.addTransition(State); 854 reportBugIfInvariantHolds( 855 "Nullable pointer is dereferenced", ErrorKind::NullableDereferenced, 856 NullableDereferenced, N, Region, C, ArgExpr, /*SuppressPath=*/true); 857 return; 858 } 859 continue; 860 } 861 } 862 if (State != OrigState) 863 C.addTransition(State); 864 } 865 866 /// Suppress the nullability warnings for some functions. 867 void NullabilityChecker::checkPostCall(const CallEvent &Call, 868 CheckerContext &C) const { 869 auto Decl = Call.getDecl(); 870 if (!Decl) 871 return; 872 // ObjC Messages handles in a different callback. 873 if (Call.getKind() == CE_ObjCMessage) 874 return; 875 const FunctionType *FuncType = Decl->getFunctionType(); 876 if (!FuncType) 877 return; 878 QualType ReturnType = FuncType->getReturnType(); 879 if (!isValidPointerType(ReturnType)) 880 return; 881 ProgramStateRef State = C.getState(); 882 if (State->get<InvariantViolated>()) 883 return; 884 885 const MemRegion *Region = getTrackRegion(Call.getReturnValue()); 886 if (!Region) 887 return; 888 889 // CG headers are misannotated. Do not warn for symbols that are the results 890 // of CG calls. 891 const SourceManager &SM = C.getSourceManager(); 892 StringRef FilePath = SM.getFilename(SM.getSpellingLoc(Decl->getBeginLoc())); 893 if (llvm::sys::path::filename(FilePath).starts_with("CG")) { 894 State = State->set<NullabilityMap>(Region, Nullability::Contradicted); 895 C.addTransition(State); 896 return; 897 } 898 899 const NullabilityState *TrackedNullability = 900 State->get<NullabilityMap>(Region); 901 902 // ObjCMessageExpr gets the actual type through 903 // Sema::getMessageSendResultType, instead of using the return type of 904 // MethodDecl directly. The final type is generated by considering the 905 // nullability of receiver and MethodDecl together. Thus, The type of 906 // ObjCMessageExpr is prefer. 907 if (const Expr *E = Call.getOriginExpr()) 908 ReturnType = E->getType(); 909 910 if (!TrackedNullability && 911 getNullabilityAnnotation(ReturnType) == Nullability::Nullable) { 912 State = State->set<NullabilityMap>(Region, Nullability::Nullable); 913 C.addTransition(State); 914 } 915 } 916 917 static Nullability getReceiverNullability(const ObjCMethodCall &M, 918 ProgramStateRef State) { 919 if (M.isReceiverSelfOrSuper()) { 920 // For super and super class receivers we assume that the receiver is 921 // nonnull. 922 return Nullability::Nonnull; 923 } 924 // Otherwise look up nullability in the state. 925 SVal Receiver = M.getReceiverSVal(); 926 if (auto DefOrUnknown = Receiver.getAs<DefinedOrUnknownSVal>()) { 927 // If the receiver is constrained to be nonnull, assume that it is nonnull 928 // regardless of its type. 929 NullConstraint Nullness = getNullConstraint(*DefOrUnknown, State); 930 if (Nullness == NullConstraint::IsNotNull) 931 return Nullability::Nonnull; 932 } 933 auto ValueRegionSVal = Receiver.getAs<loc::MemRegionVal>(); 934 if (ValueRegionSVal) { 935 const MemRegion *SelfRegion = ValueRegionSVal->getRegion(); 936 assert(SelfRegion); 937 938 const NullabilityState *TrackedSelfNullability = 939 State->get<NullabilityMap>(SelfRegion); 940 if (TrackedSelfNullability) 941 return TrackedSelfNullability->getValue(); 942 } 943 return Nullability::Unspecified; 944 } 945 946 // The return value of a property access is typically a temporary value which 947 // will not be tracked in a persistent manner by the analyzer. We use 948 // evalAssume() in order to immediately record constraints on those temporaries 949 // at the time they are imposed (e.g. by a nil-check conditional). 950 ProgramStateRef NullabilityChecker::evalAssume(ProgramStateRef State, SVal Cond, 951 bool Assumption) const { 952 PropertyAccessesMapTy PropertyAccesses = State->get<PropertyAccessesMap>(); 953 for (auto [PropKey, PropVal] : PropertyAccesses) { 954 if (!PropVal.isConstrainedNonnull) { 955 ConditionTruthVal IsNonNull = State->isNonNull(PropVal.Value); 956 if (IsNonNull.isConstrainedTrue()) { 957 ConstrainedPropertyVal Replacement = PropVal; 958 Replacement.isConstrainedNonnull = true; 959 State = State->set<PropertyAccessesMap>(PropKey, Replacement); 960 } else if (IsNonNull.isConstrainedFalse()) { 961 // Space optimization: no point in tracking constrained-null cases 962 State = State->remove<PropertyAccessesMap>(PropKey); 963 } 964 } 965 } 966 967 return State; 968 } 969 970 /// Calculate the nullability of the result of a message expr based on the 971 /// nullability of the receiver, the nullability of the return value, and the 972 /// constraints. 973 void NullabilityChecker::checkPostObjCMessage(const ObjCMethodCall &M, 974 CheckerContext &C) const { 975 auto Decl = M.getDecl(); 976 if (!Decl) 977 return; 978 QualType RetType = Decl->getReturnType(); 979 if (!isValidPointerType(RetType)) 980 return; 981 982 ProgramStateRef State = C.getState(); 983 if (State->get<InvariantViolated>()) 984 return; 985 986 const MemRegion *ReturnRegion = getTrackRegion(M.getReturnValue()); 987 if (!ReturnRegion) 988 return; 989 990 auto Interface = Decl->getClassInterface(); 991 auto Name = Interface ? Interface->getName() : ""; 992 // In order to reduce the noise in the diagnostics generated by this checker, 993 // some framework and programming style based heuristics are used. These 994 // heuristics are for Cocoa APIs which have NS prefix. 995 if (Name.starts_with("NS")) { 996 // Developers rely on dynamic invariants such as an item should be available 997 // in a collection, or a collection is not empty often. Those invariants can 998 // not be inferred by any static analysis tool. To not to bother the users 999 // with too many false positives, every item retrieval function should be 1000 // ignored for collections. The instance methods of dictionaries in Cocoa 1001 // are either item retrieval related or not interesting nullability wise. 1002 // Using this fact, to keep the code easier to read just ignore the return 1003 // value of every instance method of dictionaries. 1004 if (M.isInstanceMessage() && Name.contains("Dictionary")) { 1005 State = 1006 State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted); 1007 C.addTransition(State); 1008 return; 1009 } 1010 // For similar reasons ignore some methods of Cocoa arrays. 1011 StringRef FirstSelectorSlot = M.getSelector().getNameForSlot(0); 1012 if (Name.contains("Array") && 1013 (FirstSelectorSlot == "firstObject" || 1014 FirstSelectorSlot == "lastObject")) { 1015 State = 1016 State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted); 1017 C.addTransition(State); 1018 return; 1019 } 1020 1021 // Encoding related methods of string should not fail when lossless 1022 // encodings are used. Using lossless encodings is so frequent that ignoring 1023 // this class of methods reduced the emitted diagnostics by about 30% on 1024 // some projects (and all of that was false positives). 1025 if (Name.contains("String")) { 1026 for (auto *Param : M.parameters()) { 1027 if (Param->getName() == "encoding") { 1028 State = State->set<NullabilityMap>(ReturnRegion, 1029 Nullability::Contradicted); 1030 C.addTransition(State); 1031 return; 1032 } 1033 } 1034 } 1035 } 1036 1037 const ObjCMessageExpr *Message = M.getOriginExpr(); 1038 Nullability SelfNullability = getReceiverNullability(M, State); 1039 1040 const NullabilityState *NullabilityOfReturn = 1041 State->get<NullabilityMap>(ReturnRegion); 1042 1043 if (NullabilityOfReturn) { 1044 // When we have a nullability tracked for the return value, the nullability 1045 // of the expression will be the most nullable of the receiver and the 1046 // return value. 1047 Nullability RetValTracked = NullabilityOfReturn->getValue(); 1048 Nullability ComputedNullab = 1049 getMostNullable(RetValTracked, SelfNullability); 1050 if (ComputedNullab != RetValTracked && 1051 ComputedNullab != Nullability::Unspecified) { 1052 const Stmt *NullabilitySource = 1053 ComputedNullab == RetValTracked 1054 ? NullabilityOfReturn->getNullabilitySource() 1055 : Message->getInstanceReceiver(); 1056 State = State->set<NullabilityMap>( 1057 ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource)); 1058 C.addTransition(State); 1059 } 1060 return; 1061 } 1062 1063 // No tracked information. Use static type information for return value. 1064 Nullability RetNullability = getNullabilityAnnotation(Message->getType()); 1065 1066 // Properties might be computed, which means the property value could 1067 // theoretically change between calls even in commonly-observed cases like 1068 // this: 1069 // 1070 // if (foo.prop) { // ok, it's nonnull here... 1071 // [bar doStuffWithNonnullVal:foo.prop]; // ...but what about 1072 // here? 1073 // } 1074 // 1075 // If the property is nullable-annotated, a naive analysis would lead to many 1076 // false positives despite the presence of probably-correct nil-checks. To 1077 // reduce the false positive rate, we maintain a history of the most recently 1078 // observed property value. For each property access, if the prior value has 1079 // been constrained to be not nil then we will conservatively assume that the 1080 // next access can be inferred as nonnull. 1081 if (RetNullability != Nullability::Nonnull && 1082 M.getMessageKind() == OCM_PropertyAccess && !C.wasInlined) { 1083 bool LookupResolved = false; 1084 if (const MemRegion *ReceiverRegion = getTrackRegion(M.getReceiverSVal())) { 1085 if (const IdentifierInfo *Ident = 1086 M.getSelector().getIdentifierInfoForSlot(0)) { 1087 LookupResolved = true; 1088 ObjectPropPair Key = std::make_pair(ReceiverRegion, Ident); 1089 const ConstrainedPropertyVal *PrevPropVal = 1090 State->get<PropertyAccessesMap>(Key); 1091 if (PrevPropVal && PrevPropVal->isConstrainedNonnull) { 1092 RetNullability = Nullability::Nonnull; 1093 } else { 1094 // If a previous property access was constrained as nonnull, we hold 1095 // on to that constraint (effectively inferring that all subsequent 1096 // accesses on that code path can be inferred as nonnull). If the 1097 // previous property access was *not* constrained as nonnull, then 1098 // let's throw it away in favor of keeping the SVal associated with 1099 // this more recent access. 1100 if (auto ReturnSVal = 1101 M.getReturnValue().getAs<DefinedOrUnknownSVal>()) { 1102 State = State->set<PropertyAccessesMap>( 1103 Key, ConstrainedPropertyVal(*ReturnSVal)); 1104 } 1105 } 1106 } 1107 } 1108 1109 if (!LookupResolved) { 1110 // Fallback: err on the side of suppressing the false positive. 1111 RetNullability = Nullability::Nonnull; 1112 } 1113 } 1114 1115 Nullability ComputedNullab = getMostNullable(RetNullability, SelfNullability); 1116 if (ComputedNullab == Nullability::Nullable) { 1117 const Stmt *NullabilitySource = ComputedNullab == RetNullability 1118 ? Message 1119 : Message->getInstanceReceiver(); 1120 State = State->set<NullabilityMap>( 1121 ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource)); 1122 C.addTransition(State); 1123 } 1124 } 1125 1126 /// Explicit casts are trusted. If there is a disagreement in the nullability 1127 /// annotations in the destination and the source or '0' is casted to nonnull 1128 /// track the value as having contraditory nullability. This will allow users to 1129 /// suppress warnings. 1130 void NullabilityChecker::checkPostStmt(const ExplicitCastExpr *CE, 1131 CheckerContext &C) const { 1132 QualType OriginType = CE->getSubExpr()->getType(); 1133 QualType DestType = CE->getType(); 1134 if (!isValidPointerType(OriginType)) 1135 return; 1136 if (!isValidPointerType(DestType)) 1137 return; 1138 1139 ProgramStateRef State = C.getState(); 1140 if (State->get<InvariantViolated>()) 1141 return; 1142 1143 Nullability DestNullability = getNullabilityAnnotation(DestType); 1144 1145 // No explicit nullability in the destination type, so this cast does not 1146 // change the nullability. 1147 if (DestNullability == Nullability::Unspecified) 1148 return; 1149 1150 auto RegionSVal = C.getSVal(CE).getAs<DefinedOrUnknownSVal>(); 1151 const MemRegion *Region = getTrackRegion(*RegionSVal); 1152 if (!Region) 1153 return; 1154 1155 // When 0 is converted to nonnull mark it as contradicted. 1156 if (DestNullability == Nullability::Nonnull) { 1157 NullConstraint Nullness = getNullConstraint(*RegionSVal, State); 1158 if (Nullness == NullConstraint::IsNull) { 1159 State = State->set<NullabilityMap>(Region, Nullability::Contradicted); 1160 C.addTransition(State); 1161 return; 1162 } 1163 } 1164 1165 const NullabilityState *TrackedNullability = 1166 State->get<NullabilityMap>(Region); 1167 1168 if (!TrackedNullability) { 1169 if (DestNullability != Nullability::Nullable) 1170 return; 1171 State = State->set<NullabilityMap>(Region, 1172 NullabilityState(DestNullability, CE)); 1173 C.addTransition(State); 1174 return; 1175 } 1176 1177 if (TrackedNullability->getValue() != DestNullability && 1178 TrackedNullability->getValue() != Nullability::Contradicted) { 1179 State = State->set<NullabilityMap>(Region, Nullability::Contradicted); 1180 C.addTransition(State); 1181 } 1182 } 1183 1184 /// For a given statement performing a bind, attempt to syntactically 1185 /// match the expression resulting in the bound value. 1186 static const Expr * matchValueExprForBind(const Stmt *S) { 1187 // For `x = e` the value expression is the right-hand side. 1188 if (auto *BinOp = dyn_cast<BinaryOperator>(S)) { 1189 if (BinOp->getOpcode() == BO_Assign) 1190 return BinOp->getRHS(); 1191 } 1192 1193 // For `int x = e` the value expression is the initializer. 1194 if (auto *DS = dyn_cast<DeclStmt>(S)) { 1195 if (DS->isSingleDecl()) { 1196 auto *VD = dyn_cast<VarDecl>(DS->getSingleDecl()); 1197 if (!VD) 1198 return nullptr; 1199 1200 if (const Expr *Init = VD->getInit()) 1201 return Init; 1202 } 1203 } 1204 1205 return nullptr; 1206 } 1207 1208 /// Returns true if \param S is a DeclStmt for a local variable that 1209 /// ObjC automated reference counting initialized with zero. 1210 static bool isARCNilInitializedLocal(CheckerContext &C, const Stmt *S) { 1211 // We suppress diagnostics for ARC zero-initialized _Nonnull locals. This 1212 // prevents false positives when a _Nonnull local variable cannot be 1213 // initialized with an initialization expression: 1214 // NSString * _Nonnull s; // no-warning 1215 // @autoreleasepool { 1216 // s = ... 1217 // } 1218 // 1219 // FIXME: We should treat implicitly zero-initialized _Nonnull locals as 1220 // uninitialized in Sema's UninitializedValues analysis to warn when a use of 1221 // the zero-initialized definition will unexpectedly yield nil. 1222 1223 // Locals are only zero-initialized when automated reference counting 1224 // is turned on. 1225 if (!C.getASTContext().getLangOpts().ObjCAutoRefCount) 1226 return false; 1227 1228 auto *DS = dyn_cast<DeclStmt>(S); 1229 if (!DS || !DS->isSingleDecl()) 1230 return false; 1231 1232 auto *VD = dyn_cast<VarDecl>(DS->getSingleDecl()); 1233 if (!VD) 1234 return false; 1235 1236 // Sema only zero-initializes locals with ObjCLifetimes. 1237 if(!VD->getType().getQualifiers().hasObjCLifetime()) 1238 return false; 1239 1240 const Expr *Init = VD->getInit(); 1241 assert(Init && "ObjC local under ARC without initializer"); 1242 1243 // Return false if the local is explicitly initialized (e.g., with '= nil'). 1244 if (!isa<ImplicitValueInitExpr>(Init)) 1245 return false; 1246 1247 return true; 1248 } 1249 1250 /// Propagate the nullability information through binds and warn when nullable 1251 /// pointer or null symbol is assigned to a pointer with a nonnull type. 1252 void NullabilityChecker::checkBind(SVal L, SVal V, const Stmt *S, 1253 CheckerContext &C) const { 1254 const TypedValueRegion *TVR = 1255 dyn_cast_or_null<TypedValueRegion>(L.getAsRegion()); 1256 if (!TVR) 1257 return; 1258 1259 QualType LocType = TVR->getValueType(); 1260 if (!isValidPointerType(LocType)) 1261 return; 1262 1263 ProgramStateRef State = C.getState(); 1264 if (State->get<InvariantViolated>()) 1265 return; 1266 1267 auto ValDefOrUnknown = V.getAs<DefinedOrUnknownSVal>(); 1268 if (!ValDefOrUnknown) 1269 return; 1270 1271 NullConstraint RhsNullness = getNullConstraint(*ValDefOrUnknown, State); 1272 1273 Nullability ValNullability = Nullability::Unspecified; 1274 if (SymbolRef Sym = ValDefOrUnknown->getAsSymbol()) 1275 ValNullability = getNullabilityAnnotation(Sym->getType()); 1276 1277 Nullability LocNullability = getNullabilityAnnotation(LocType); 1278 1279 // If the type of the RHS expression is nonnull, don't warn. This 1280 // enables explicit suppression with a cast to nonnull. 1281 Nullability ValueExprTypeLevelNullability = Nullability::Unspecified; 1282 const Expr *ValueExpr = matchValueExprForBind(S); 1283 if (ValueExpr) { 1284 ValueExprTypeLevelNullability = 1285 getNullabilityAnnotation(lookThroughImplicitCasts(ValueExpr)->getType()); 1286 } 1287 1288 bool NullAssignedToNonNull = (LocNullability == Nullability::Nonnull && 1289 RhsNullness == NullConstraint::IsNull); 1290 if (NullPassedToNonnull.isEnabled() && NullAssignedToNonNull && 1291 ValNullability != Nullability::Nonnull && 1292 ValueExprTypeLevelNullability != Nullability::Nonnull && 1293 !isARCNilInitializedLocal(C, S)) { 1294 ExplodedNode *N = C.generateErrorNode(State); 1295 if (!N) 1296 return; 1297 1298 1299 const Stmt *ValueStmt = S; 1300 if (ValueExpr) 1301 ValueStmt = ValueExpr; 1302 1303 SmallString<256> SBuf; 1304 llvm::raw_svector_ostream OS(SBuf); 1305 OS << (LocType->isObjCObjectPointerType() ? "nil" : "Null"); 1306 OS << " assigned to a pointer which is expected to have non-null value"; 1307 reportBugIfInvariantHolds(OS.str(), ErrorKind::NilAssignedToNonnull, 1308 NullPassedToNonnull, N, nullptr, C, ValueStmt); 1309 return; 1310 } 1311 1312 // If null was returned from a non-null function, mark the nullability 1313 // invariant as violated even if the diagnostic was suppressed. 1314 if (NullAssignedToNonNull) { 1315 State = State->set<InvariantViolated>(true); 1316 C.addTransition(State); 1317 return; 1318 } 1319 1320 // Intentionally missing case: '0' is bound to a reference. It is handled by 1321 // the DereferenceChecker. 1322 1323 const MemRegion *ValueRegion = getTrackRegion(*ValDefOrUnknown); 1324 if (!ValueRegion) 1325 return; 1326 1327 const NullabilityState *TrackedNullability = 1328 State->get<NullabilityMap>(ValueRegion); 1329 1330 if (TrackedNullability) { 1331 if (RhsNullness == NullConstraint::IsNotNull || 1332 TrackedNullability->getValue() != Nullability::Nullable) 1333 return; 1334 if (NullablePassedToNonnull.isEnabled() && 1335 LocNullability == Nullability::Nonnull) { 1336 ExplodedNode *N = C.addTransition(State, C.getPredecessor()); 1337 reportBugIfInvariantHolds("Nullable pointer is assigned to a pointer " 1338 "which is expected to have non-null value", 1339 ErrorKind::NullableAssignedToNonnull, 1340 NullablePassedToNonnull, N, ValueRegion, C); 1341 } 1342 return; 1343 } 1344 1345 const auto *BinOp = dyn_cast<BinaryOperator>(S); 1346 1347 if (ValNullability == Nullability::Nullable) { 1348 // Trust the static information of the value more than the static 1349 // information on the location. 1350 const Stmt *NullabilitySource = BinOp ? BinOp->getRHS() : S; 1351 State = State->set<NullabilityMap>( 1352 ValueRegion, NullabilityState(ValNullability, NullabilitySource)); 1353 C.addTransition(State); 1354 return; 1355 } 1356 1357 if (LocNullability == Nullability::Nullable) { 1358 const Stmt *NullabilitySource = BinOp ? BinOp->getLHS() : S; 1359 State = State->set<NullabilityMap>( 1360 ValueRegion, NullabilityState(LocNullability, NullabilitySource)); 1361 C.addTransition(State); 1362 } 1363 } 1364 1365 void NullabilityChecker::printState(raw_ostream &Out, ProgramStateRef State, 1366 const char *NL, const char *Sep) const { 1367 1368 NullabilityMapTy B = State->get<NullabilityMap>(); 1369 1370 if (State->get<InvariantViolated>()) 1371 Out << Sep << NL 1372 << "Nullability invariant was violated, warnings suppressed." << NL; 1373 1374 if (B.isEmpty()) 1375 return; 1376 1377 if (!State->get<InvariantViolated>()) 1378 Out << Sep << NL; 1379 1380 for (auto [Region, State] : B) { 1381 Out << Region << " : "; 1382 State.print(Out); 1383 Out << NL; 1384 } 1385 } 1386 1387 // The checker group "nullability" (which consists of the checkers that are 1388 // implemented in this file) has a group-level configuration option which 1389 // affects all the checkers in the group. As this is a completely unique 1390 // remnant of old design (this is the only group option in the analyzer), there 1391 // is no machinery to inject the group name from `Checkers.td`, so it is simply 1392 // hardcoded here: 1393 constexpr llvm::StringLiteral GroupName = "nullability"; 1394 constexpr llvm::StringLiteral GroupOptName = "NoDiagnoseCallsToSystemHeaders"; 1395 1396 #define REGISTER_CHECKER(NAME, TRACKING_REQUIRED) \ 1397 void ento::register##NAME##Checker(CheckerManager &Mgr) { \ 1398 NullabilityChecker *Chk = Mgr.getChecker<NullabilityChecker>(); \ 1399 Chk->NAME.enable(Mgr); \ 1400 Chk->NeedTracking = Chk->NeedTracking || TRACKING_REQUIRED; \ 1401 Chk->NoDiagnoseCallsToSystemHeaders = \ 1402 Mgr.getAnalyzerOptions().getCheckerBooleanOption(GroupName, \ 1403 GroupOptName, true); \ 1404 } \ 1405 \ 1406 bool ento::shouldRegister##NAME##Checker(const CheckerManager &) { \ 1407 return true; \ 1408 } 1409 1410 // The checks are likely to be turned on by default and it is possible to do 1411 // them without tracking any nullability related information. As an optimization 1412 // no nullability information will be tracked when only these two checks are 1413 // enables. 1414 REGISTER_CHECKER(NullPassedToNonnull, false) 1415 REGISTER_CHECKER(NullReturnedFromNonnull, false) 1416 1417 REGISTER_CHECKER(NullableDereferenced, true) 1418 REGISTER_CHECKER(NullablePassedToNonnull, true) 1419 REGISTER_CHECKER(NullableReturnedFromNonnull, true) 1420