NullabilityChecker.cpp source code [clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp]

1	//===-- NullabilityChecker.cpp - Nullability checker ----------------------===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// This checker tries to find nullability violations. There are several kinds of
10	// possible violations:
11	// Null pointer is passed to a pointer which has a _Nonnull type.*
12	// Null pointer is returned from a function which has a _Nonnull return type.*
13	// Nullable pointer is passed to a pointer which has a _Nonnull type.*
14	// Nullable pointer is returned from a function which has a _Nonnull return*
15	// type.
16	// Nullable pointer is dereferenced.*
17	//
18	// This checker propagates the nullability information of the pointers and looks
19	// for the patterns that are described above. Explicit casts are trusted and are
20	// considered a way to suppress false positives for this checker. The other way
21	// to suppress warnings would be to add asserts or guarding if statements to the
22	// code. In addition to the nullability propagation this checker also uses some
23	// heuristics to suppress potential false positives.
24	//
25	//===----------------------------------------------------------------------===//
26
27	#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
28
29	#include "clang/Analysis/AnyCall.h"
30	#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
31	#include "clang/StaticAnalyzer/Core/Checker.h"
32	#include "clang/StaticAnalyzer/Core/CheckerManager.h"
33	#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
34	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
35	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
36
37	#include "llvm/ADT/STLExtras.h"
38	#include "llvm/ADT/StringExtras.h"
39	#include "llvm/Support/Path.h"
40
41	using namespace clang;
42	using namespace ento;
43
44	namespace {
45
46	/// Returns the most nullable nullability. This is used for message expressions
47	/// like [receiver method], where the nullability of this expression is either
48	/// the nullability of the receiver or the nullability of the return type of the
49	/// method, depending on which is more nullable. Contradicted is considered to
50	/// be the most nullable, to avoid false positive results.
51	Nullability getMostNullable(Nullability Lhs, Nullability Rhs) {
52	return static_cast<Nullability>(
53	std::min(a: static_cast<char>(Lhs), b: static_cast<char>(Rhs)));
54	}
55
56	const char *getNullabilityString(Nullability Nullab) {
57	switch (Nullab) {
58	case Nullability::Contradicted:
59	return "contradicted";
60	case Nullability::Nullable:
61	return "nullable";
62	case Nullability::Unspecified:
63	return "unspecified";
64	case Nullability::Nonnull:
65	return "nonnull";
66	}
67	llvm_unreachable("Unexpected enumeration.");
68	return "";
69	}
70
71	// These enums are used as an index to ErrorMessages array.
72	enum class ErrorKind : int {
73	NilAssignedToNonnull,
74	NilPassedToNonnull,
75	NilReturnedToNonnull,
76	NullableAssignedToNonnull,
77	NullableReturnedToNonnull,
78	NullableDereferenced,
79	NullablePassedToNonnull
80	};
81
82	class NullabilityChecker
83	: public Checker<check::Bind, check::PreCall, check::PreStmt<ReturnStmt>,
84	check::PostCall, check::PostStmt<ExplicitCastExpr>,
85	check::PostObjCMessage, check::DeadSymbols, eval::Assume,
86	check::Location, check::Event<ImplicitNullDerefEvent>,
87	check::BeginFunction> {
88
89	public:
90	// If true, the checker will not diagnose nullabilility issues for calls
91	// to system headers. This option is motivated by the observation that large
92	// projects may have many nullability warnings. These projects may
93	// find warnings about nullability annotations that they have explicitly
94	// added themselves higher priority to fix than warnings on calls to system
95	// libraries.
96	bool NoDiagnoseCallsToSystemHeaders = false;
97
98	void checkBind(SVal L, SVal V, const Stmt S, CheckerContext &C) const*;
99	void checkPostStmt(const ExplicitCastExpr CE, CheckerContext &C) const*;
100	void checkPreStmt(const ReturnStmt S, CheckerContext &C) const*;
101	void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
102	void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
103	void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
104	void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
105	void checkEvent(ImplicitNullDerefEvent Event) const;
106	void checkLocation(SVal Location, bool IsLoad, const Stmt *S,
107	CheckerContext &C) const;
108	void checkBeginFunction(CheckerContext &Ctx) const;
109	ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond,
110	bool Assumption) const;
111
112	void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
113	const char Sep) const* override;
114
115	enum CheckKind {
116	CK_NullPassedToNonnull,
117	CK_NullReturnedFromNonnull,
118	CK_NullableDereferenced,
119	CK_NullablePassedToNonnull,
120	CK_NullableReturnedFromNonnull,
121	CK_NumCheckKinds
122	};
123
124	bool ChecksEnabled[CK_NumCheckKinds] = {false};
125	CheckerNameRef CheckNames[CK_NumCheckKinds];
126	mutable std::unique_ptr<BugType> BTs[CK_NumCheckKinds];
127
128	const std::unique_ptr<BugType> &getBugType(CheckKind Kind) const {
129	if (!BTs[Kind])
130	BTs[Kind].reset(p: new BugType (CheckNames[Kind], "Nullability",
131	categories::MemoryError));
132	return BTs[Kind];
133	}
134
135	// When set to false no nullability information will be tracked in
136	// NullabilityMap. It is possible to catch errors like passing a null pointer
137	// to a callee that expects nonnull argument without the information that is
138	// stored in the NullabilityMap. This is an optimization.
139	bool NeedTracking = false;
140
141	private:
142	class NullabilityBugVisitor : public BugReporterVisitor {
143	public:
144	NullabilityBugVisitor(const MemRegion *M) : Region(M) {}
145
146	void Profile(llvm::FoldingSetNodeID &ID) const override {
147	static int X = `0`;
148	ID.AddPointer(Ptr: &X);
149	ID.AddPointer(Ptr: Region);
150	}
151
152	PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
153	BugReporterContext &BRC,
154	PathSensitiveBugReport &BR) override;
155
156	private:
157	// The tracked region.
158	const MemRegion *Region;
159	};
160
161	/// When any of the nonnull arguments of the analyzed function is null, do not
162	/// report anything and turn off the check.
163	///
164	/// When \p SuppressPath is set to true, no more bugs will be reported on this
165	/// path by this checker.
166	void reportBugIfInvariantHolds(StringRef Msg, ErrorKind Error, CheckKind CK,
167	ExplodedNode N, const* MemRegion *Region,
168	CheckerContext &C,
169	const Stmt ValueExpr = nullptr*,
170	bool SuppressPath = false) const;
171
172	void reportBug(StringRef Msg, ErrorKind Error, CheckKind CK, ExplodedNode *N,
173	const MemRegion *Region, BugReporter &BR,
174	const Stmt ValueExpr = nullptr) const* {
175	const std::unique_ptr<BugType> &BT = getBugType(Kind: CK);
176	auto R = std::make_unique<PathSensitiveBugReport>(args&: *BT, args&: Msg, args&: N);
177	if (Region) {
178	R ->markInteresting(R: Region);
179	R ->addVisitor<NullabilityBugVisitor>(ConstructorArgs&: Region);
180	}
181	if (ValueExpr) {
182	R ->addRange(R: ValueExpr->getSourceRange());
183	if (Error == ErrorKind::NilAssignedToNonnull \|\|
184	Error == ErrorKind::NilPassedToNonnull \|\|
185	Error == ErrorKind::NilReturnedToNonnull)
186	if (const auto *Ex = dyn_cast<Expr>(Val: ValueExpr))
187	bugreporter::trackExpressionValue(N, E: Ex, R&: *R);
188	}
189	BR.emitReport(R: std::move(R));
190	}
191
192	/// If an SVal wraps a region that should be tracked, it will return a pointer
193	/// to the wrapped region. Otherwise it will return a nullptr.
194	const SymbolicRegion *getTrackRegion(SVal Val,
195	bool CheckSuperRegion = false) const;
196
197	/// Returns true if the call is diagnosable in the current analyzer
198	/// configuration.
199	bool isDiagnosableCall(const CallEvent &Call) const {
200	if (NoDiagnoseCallsToSystemHeaders && Call.isInSystemHeader())
201	return false;
202
203	return true;
204	}
205	};
206
207	class NullabilityState {
208	public:
209	NullabilityState(Nullability Nullab, const Stmt Source = nullptr*)
210	: Nullab(Nullab), Source(Source) {}
211
212	const Stmt getNullabilitySource() const* { return Source; }
213
214	Nullability getValue() const { return Nullab; }
215
216	void Profile(llvm::FoldingSetNodeID &ID) const {
217	ID.AddInteger(I: static_cast<char>(Nullab));
218	ID.AddPointer(Ptr: Source);
219	}
220
221	void print(raw_ostream &Out) const {
222	Out << getNullabilityString(Nullab) << "\n";
223	}
224
225	private:
226	Nullability Nullab;
227	// Source is the expression which determined the nullability. For example in a
228	// message like [nullable nonnull_returning] has nullable nullability, because
229	// the receiver is nullable. Here the receiver will be the source of the
230	// nullability. This is useful information when the diagnostics are generated.
231	const Stmt *Source;
232	};
233
234	bool operator==(NullabilityState Lhs, NullabilityState Rhs) {
235	return Lhs.getValue() == Rhs.getValue() &&
236	Lhs.getNullabilitySource() == Rhs.getNullabilitySource();
237	}
238
239	// For the purpose of tracking historical property accesses, the key for lookup
240	// is an object pointer (could be an instance or a class) paired with the unique
241	// identifier for the property being invoked on that object.
242	using ObjectPropPair = std::pair<const MemRegion , const* IdentifierInfo *>;
243
244	// Metadata associated with the return value from a recorded property access.
245	struct ConstrainedPropertyVal {
246	// This will reference the conjured return SVal for some call
247	// of the form [object property]
248	DefinedOrUnknownSVal Value;
249
250	// If the SVal has been determined to be nonnull, that is recorded here
251	bool isConstrainedNonnull;
252
253	ConstrainedPropertyVal(DefinedOrUnknownSVal SV)
254	: Value (SV), isConstrainedNonnull(false) {}
255
256	void Profile(llvm::FoldingSetNodeID &ID) const {
257	Value.Profile(ID);
258	ID.AddInteger(I: isConstrainedNonnull ? `1` : `0`);
259	}
260	};
261
262	bool operator==(const ConstrainedPropertyVal &Lhs,
263	const ConstrainedPropertyVal &Rhs) {
264	return Lhs.Value == Rhs.Value &&
265	Lhs.isConstrainedNonnull == Rhs.isConstrainedNonnull;
266	}
267
268	} // end anonymous namespace
269
270	REGISTER_MAP_WITH_PROGRAMSTATE(NullabilityMap, const MemRegion *,
271	NullabilityState)
272	REGISTER_MAP_WITH_PROGRAMSTATE(PropertyAccessesMap, ObjectPropPair,
273	ConstrainedPropertyVal)
274
275	// We say "the nullability type invariant is violated" when a location with a
276	// non-null type contains NULL or a function with a non-null return type returns
277	// NULL. Violations of the nullability type invariant can be detected either
278	// directly (for example, when NULL is passed as an argument to a nonnull
279	// parameter) or indirectly (for example, when, inside a function, the
280	// programmer defensively checks whether a nonnull parameter contains NULL and
281	// finds that it does).
282	//
283	// As a matter of policy, the nullability checker typically warns on direct
284	// violations of the nullability invariant (although it uses various
285	// heuristics to suppress warnings in some cases) but will not warn if the
286	// invariant has already been violated along the path (either directly or
287	// indirectly). As a practical matter, this prevents the analyzer from
288	// (1) warning on defensive code paths where a nullability precondition is
289	// determined to have been violated, (2) warning additional times after an
290	// initial direct violation has been discovered, and (3) warning after a direct
291	// violation that has been implicitly or explicitly suppressed (for
292	// example, with a cast of NULL to _Nonnull). In essence, once an invariant
293	// violation is detected on a path, this checker will be essentially turned off
294	// for the rest of the analysis
295	//
296	// The analyzer takes this approach (rather than generating a sink node) to
297	// ensure coverage of defensive paths, which may be important for backwards
298	// compatibility in codebases that were developed without nullability in mind.
299	REGISTER_TRAIT_WITH_PROGRAMSTATE(InvariantViolated, bool)
300
301	enum class NullConstraint { IsNull, IsNotNull, Unknown };
302
303	static NullConstraint getNullConstraint(DefinedOrUnknownSVal Val,
304	ProgramStateRef State) {
305	ConditionTruthVal Nullness = State ->isNull(V: Val);
306	if (Nullness.isConstrainedFalse())
307	return NullConstraint::IsNotNull;
308	if (Nullness.isConstrainedTrue())
309	return NullConstraint::IsNull;
310	return NullConstraint::Unknown;
311	}
312
313	static bool isValidPointerType(QualType T) {
314	return T ->isAnyPointerType() \|\| T ->isBlockPointerType();
315	}
316
317	const SymbolicRegion *
318	NullabilityChecker::getTrackRegion(SVal Val, bool CheckSuperRegion) const {
319	if (!NeedTracking)
320	return nullptr;
321
322	auto RegionSVal = Val.getAs<loc::MemRegionVal>();
323	if (!RegionSVal)
324	return nullptr;
325
326	const MemRegion *Region = RegionSVal ->getRegion();
327
328	if (CheckSuperRegion) {
329	if (const SubRegion *FieldReg = Region->getAs<FieldRegion>()) {
330	if (const auto *ER = dyn_cast<ElementRegion>(Val: FieldReg->getSuperRegion()))
331	FieldReg = ER;
332	return dyn_cast<SymbolicRegion>(Val: FieldReg->getSuperRegion());
333	}
334	if (auto ElementReg = Region->getAs<ElementRegion>())
335	return dyn_cast<SymbolicRegion>(ElementReg->getSuperRegion());
336	}
337
338	return dyn_cast<SymbolicRegion>(Val: Region);
339	}
340
341	PathDiagnosticPieceRef NullabilityChecker::NullabilityBugVisitor::VisitNode(
342	const ExplodedNode *N, BugReporterContext &BRC,
343	PathSensitiveBugReport &BR) {
344	ProgramStateRef State = N->getState();
345	ProgramStateRef StatePrev = N->getFirstPred()->getState();
346
347	const NullabilityState *TrackedNullab = State ->get<NullabilityMap>(key: Region);
348	const NullabilityState *TrackedNullabPrev =
349	StatePrev ->get<NullabilityMap>(key: Region);
350	if (!TrackedNullab)
351	return nullptr;
352
353	if (TrackedNullabPrev &&
354	TrackedNullabPrev->getValue() == TrackedNullab->getValue())
355	return nullptr;
356
357	// Retrieve the associated statement.
358	const Stmt *S = TrackedNullab->getNullabilitySource();
359	if (!S \|\| S->getBeginLoc().isInvalid()) {
360	S = N->getStmtForDiagnostics();
361	}
362
363	if (!S)
364	return nullptr;
365
366	std::string InfoText =
367	(llvm::Twine ("Nullability '") +
368	getNullabilityString(Nullab: TrackedNullab->getValue()) + "' is inferred")
369	.str();
370
371	// Generate the extra diagnostic.
372	PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
373	N->getLocationContext());
374	return std::make_shared<PathDiagnosticEventPiece>(args&: Pos, args&: InfoText, args: true);
375	}
376
377	/// Returns true when the value stored at the given location has been
378	/// constrained to null after being passed through an object of nonnnull type.
379	static bool checkValueAtLValForInvariantViolation(ProgramStateRef State,
380	SVal LV, QualType T) {
381	if (getNullabilityAnnotation(Type: T) != Nullability::Nonnull)
382	return false;
383
384	auto RegionVal = LV.getAs<loc::MemRegionVal>();
385	if (!RegionVal)
386	return false;
387
388	// If the value was constrained to null after* it was passed through that*
389	// location, it could not have been a concrete pointer when* it was passed.*
390	// In that case we would have handled the situation when the value was
391	// bound to that location, by emitting (or not emitting) a report.
392	// Therefore we are only interested in symbolic regions that can be either
393	// null or non-null depending on the value of their respective symbol.
394	auto StoredVal = State ->getSVal(LV: *RegionVal).getAs<loc::MemRegionVal>();
395	if (!StoredVal \|\| !isa<SymbolicRegion>(Val: StoredVal ->getRegion()))
396	return false;
397
398	if (getNullConstraint(Val: *StoredVal, State) == NullConstraint::IsNull)
399	return true;
400
401	return false;
402	}
403
404	static bool
405	checkParamsForPreconditionViolation(ArrayRef<ParmVarDecl *> Params,
406	ProgramStateRef State,
407	const LocationContext *LocCtxt) {
408	for (const auto *ParamDecl : Params) {
409	if (ParamDecl->isParameterPack())
410	break;
411
412	SVal LV = State ->getLValue(ParamDecl, LocCtxt);
413	if (checkValueAtLValForInvariantViolation(State, LV,
414	ParamDecl->getType())) {
415	return true;
416	}
417	}
418	return false;
419	}
420
421	static bool
422	checkSelfIvarsForInvariantViolation(ProgramStateRef State,
423	const LocationContext *LocCtxt) {
424	auto *MD = dyn_cast<ObjCMethodDecl>(Val: LocCtxt->getDecl());
425	if (!MD \|\| !MD->isInstanceMethod())
426	return false;
427
428	const ImplicitParamDecl *SelfDecl = LocCtxt->getSelfDecl();
429	if (!SelfDecl)
430	return false;
431
432	SVal SelfVal = State ->getSVal(R: State ->getRegion(SelfDecl, LocCtxt));
433
434	const ObjCObjectPointerType *SelfType =
435	dyn_cast<ObjCObjectPointerType>(SelfDecl->getType());
436	if (!SelfType)
437	return false;
438
439	const ObjCInterfaceDecl *ID = SelfType->getInterfaceDecl();
440	if (!ID)
441	return false;
442
443	for (const auto *IvarDecl : ID->ivars()) {
444	SVal LV = State->getLValue(IvarDecl, SelfVal);
445	if (checkValueAtLValForInvariantViolation(State, LV, IvarDecl->getType())) {
446	return true;
447	}
448	}
449	return false;
450	}
451
452	static bool checkInvariantViolation(ProgramStateRef State, ExplodedNode *N,
453	CheckerContext &C) {
454	if (State ->get<InvariantViolated>())
455	return true;
456
457	const LocationContext *LocCtxt = C.getLocationContext();
458	const Decl *D = LocCtxt->getDecl();
459	if (!D)
460	return false;
461
462	ArrayRef<ParmVarDecl*> Params;
463	if (const auto *BD = dyn_cast<BlockDecl>(Val: D))
464	Params = BD->parameters();
465	else if (const auto *FD = dyn_cast<FunctionDecl>(Val: D))
466	Params = FD->parameters();
467	else if (const auto *MD = dyn_cast<ObjCMethodDecl>(Val: D))
468	Params = MD->parameters();
469	else
470	return false;
471
472	if (checkParamsForPreconditionViolation(Params, State, LocCtxt) \|\|
473	checkSelfIvarsForInvariantViolation(State, LocCtxt)) {
474	if (!N->isSink())
475	C.addTransition(State: State ->set<InvariantViolated>(true), Pred: N);
476	return true;
477	}
478	return false;
479	}
480
481	void NullabilityChecker::reportBugIfInvariantHolds(
482	StringRef Msg, ErrorKind Error, CheckKind CK, ExplodedNode *N,
483	const MemRegion Region, CheckerContext &C, const* Stmt *ValueExpr,
484	bool SuppressPath) const {
485	ProgramStateRef OriginalState = N->getState();
486
487	if (checkInvariantViolation(State: OriginalState, N, C))
488	return;
489	if (SuppressPath) {
490	OriginalState = OriginalState ->set<InvariantViolated>(true);
491	N = C.addTransition(State: OriginalState, Pred: N);
492	}
493
494	reportBug(Msg, Error, CK, N, Region, BR&: C.getBugReporter(), ValueExpr);
495	}
496
497	/// Cleaning up the program state.
498	void NullabilityChecker::checkDeadSymbols(SymbolReaper &SR,
499	CheckerContext &C) const {
500	ProgramStateRef State = C.getState();
501	NullabilityMapTy Nullabilities = State ->get<NullabilityMap>();
502	for (const MemRegion *Reg : llvm::make_first_range(c&: Nullabilities)) {
503	const auto *Region = Reg->getAs<SymbolicRegion>();
504	assert(Region && "Non-symbolic region is tracked.");
505	if (SR.isDead(sym: Region->getSymbol())) {
506	State = State ->remove<NullabilityMap>(K: Reg);
507	}
508	}
509
510	// When an object goes out of scope, we can free the history associated
511	// with any property accesses on that object
512	PropertyAccessesMapTy PropertyAccesses = State ->get<PropertyAccessesMap>();
513	for (ObjectPropPair PropKey : llvm::make_first_range(c&: PropertyAccesses)) {
514	const MemRegion *ReceiverRegion = PropKey.first;
515	if (!SR.isLiveRegion(region: ReceiverRegion)) {
516	State = State ->remove<PropertyAccessesMap>(K: PropKey);
517	}
518	}
519
520	// When one of the nonnull arguments are constrained to be null, nullability
521	// preconditions are violated. It is not enough to check this only when we
522	// actually report an error, because at that time interesting symbols might be
523	// reaped.
524	if (checkInvariantViolation(State, N: C.getPredecessor(), C))
525	return;
526	C.addTransition(State);
527	}
528
529	/// This callback triggers when a pointer is dereferenced and the analyzer does
530	/// not know anything about the value of that pointer. When that pointer is
531	/// nullable, this code emits a warning.
532	void NullabilityChecker::checkEvent(ImplicitNullDerefEvent Event) const {
533	if (Event.SinkNode->getState()->get<InvariantViolated>())
534	return;
535
536	const MemRegion *Region =
537	getTrackRegion(Val: Event.Location, /CheckSuperRegion=/true);
538	if (!Region)
539	return;
540
541	ProgramStateRef State = Event.SinkNode->getState();
542	const NullabilityState *TrackedNullability =
543	State ->get<NullabilityMap>(key: Region);
544
545	if (!TrackedNullability)
546	return;
547
548	if (ChecksEnabled[CK_NullableDereferenced] &&
549	TrackedNullability->getValue() == Nullability::Nullable) {
550	BugReporter &BR = *Event.BR;
551	// Do not suppress errors on defensive code paths, because dereferencing
552	// a nullable pointer is always an error.
553	if (Event.IsDirectDereference)
554	reportBug(Msg: "Nullable pointer is dereferenced",
555	Error: ErrorKind::NullableDereferenced, CK: CK_NullableDereferenced,
556	N: Event.SinkNode, Region, BR);
557	else {
558	reportBug(Msg: "Nullable pointer is passed to a callee that requires a "
559	"non-null",
560	Error: ErrorKind::NullablePassedToNonnull, CK: CK_NullableDereferenced,
561	N: Event.SinkNode, Region, BR);
562	}
563	}
564	}
565
566	void NullabilityChecker::checkBeginFunction(CheckerContext &C) const {
567	if (!C.inTopFrame())
568	return;
569
570	const LocationContext *LCtx = C.getLocationContext();
571	auto AbstractCall = AnyCall::forDecl(D: LCtx->getDecl());
572	if (!AbstractCall \|\| AbstractCall ->parameters().empty())
573	return;
574
575	ProgramStateRef State = C.getState();
576	for (const ParmVarDecl *Param : AbstractCall ->parameters()) {
577	if (!isValidPointerType(Param->getType()))
578	continue;
579
580	Nullability RequiredNullability =
581	getNullabilityAnnotation(Param->getType());
582	if (RequiredNullability != Nullability::Nullable)
583	continue;
584
585	const VarRegion *ParamRegion = State ->getRegion(Param, LCtx);
586	const MemRegion *ParamPointeeRegion =
587	State ->getSVal(R: ParamRegion).getAsRegion();
588	if (!ParamPointeeRegion)
589	continue;
590
591	State = State ->set<NullabilityMap>(K: ParamPointeeRegion,
592	E: NullabilityState (RequiredNullability));
593	}
594	C.addTransition(State);
595	}
596
597	// Whenever we see a load from a typed memory region that's been annotated as
598	// 'nonnull', we want to trust the user on that and assume that it is is indeed
599	// non-null.
600	//
601	// We do so even if the value is known to have been assigned to null.
602	// The user should be warned on assigning the null value to a non-null pointer
603	// as opposed to warning on the later dereference of this pointer.
604	//
605	// \code
606	// int _Nonnull var = 0; // we want to warn the user here...*
607	// // . . .
608	// var = 42; // ...and not here*
609	// \endcode
610	void NullabilityChecker::checkLocation(SVal Location, bool IsLoad,
611	const Stmt *S,
612	CheckerContext &Context) const {
613	// We should care only about loads.
614	// The main idea is to add a constraint whenever we're loading a value from
615	// an annotated pointer type.
616	if (!IsLoad)
617	return;
618
619	// Annotations that we want to consider make sense only for types.
620	const auto *Region =
621	dyn_cast_or_null<TypedValueRegion>(Val: Location.getAsRegion());
622	if (!Region)
623	return;
624
625	ProgramStateRef State = Context.getState();
626
627	auto StoredVal = State ->getSVal(R: Region).getAs<loc::MemRegionVal>();
628	if (!StoredVal)
629	return;
630
631	Nullability NullabilityOfTheLoadedValue =
632	getNullabilityAnnotation(Type: Region->getValueType());
633
634	if (NullabilityOfTheLoadedValue == Nullability::Nonnull) {
635	// It doesn't matter what we think about this particular pointer, it should
636	// be considered non-null as annotated by the developer.
637	if (ProgramStateRef NewState = State ->assume(Cond: StoredVal, Assumption: true*)) {
638	Context.addTransition(State: NewState);
639	}
640	}
641	}
642
643	/// Find the outermost subexpression of E that is not an implicit cast.
644	/// This looks through the implicit casts to _Nonnull that ARC adds to
645	/// return expressions of ObjC types when the return type of the function or
646	/// method is non-null but the express is not.
647	static const Expr lookThroughImplicitCasts(const* Expr *E) {
648	return E->IgnoreImpCasts();
649	}
650
651	/// This method check when nullable pointer or null value is returned from a
652	/// function that has nonnull return type.
653	void NullabilityChecker::checkPreStmt(const ReturnStmt *S,
654	CheckerContext &C) const {
655	auto RetExpr = S->getRetValue();
656	if (!RetExpr)
657	return;
658
659	if (!isValidPointerType(T: RetExpr->getType()))
660	return;
661
662	ProgramStateRef State = C.getState();
663	if (State ->get<InvariantViolated>())
664	return;
665
666	auto RetSVal = C.getSVal(S).getAs<DefinedOrUnknownSVal>();
667	if (!RetSVal)
668	return;
669
670	bool InSuppressedMethodFamily = false;
671
672	QualType RequiredRetType;
673	AnalysisDeclContext *DeclCtxt =
674	C.getLocationContext()->getAnalysisDeclContext();
675	const Decl *D = DeclCtxt->getDecl();
676	if (auto *MD = dyn_cast<ObjCMethodDecl>(Val: D)) {
677	// HACK: This is a big hammer to avoid warning when there are defensive
678	// nil checks in -init and -copy methods. We should add more sophisticated
679	// logic here to suppress on common defensive idioms but still
680	// warn when there is a likely problem.
681	ObjCMethodFamily Family = MD->getMethodFamily();
682	if (OMF_init == Family \|\| OMF_copy == Family \|\| OMF_mutableCopy == Family)
683	InSuppressedMethodFamily = true;
684
685	RequiredRetType = MD->getReturnType();
686	} else if (auto *FD = dyn_cast<FunctionDecl>(Val: D)) {
687	RequiredRetType = FD->getReturnType();
688	} else {
689	return;
690	}
691
692	NullConstraint Nullness = getNullConstraint(*RetSVal, State);
693
694	Nullability RequiredNullability = getNullabilityAnnotation(Type: RequiredRetType);
695
696	// If the returned value is null but the type of the expression
697	// generating it is nonnull then we will suppress the diagnostic.
698	// This enables explicit suppression when returning a nil literal in a
699	// function with a _Nonnull return type:
700	// return (NSString _Nonnull)0;*
701	Nullability RetExprTypeLevelNullability =
702	getNullabilityAnnotation(Type: lookThroughImplicitCasts(E: RetExpr)->getType());
703
704	bool NullReturnedFromNonNull = (RequiredNullability == Nullability::Nonnull &&
705	Nullness == NullConstraint::IsNull);
706	if (ChecksEnabled[CK_NullReturnedFromNonnull] && NullReturnedFromNonNull &&
707	RetExprTypeLevelNullability != Nullability::Nonnull &&
708	!InSuppressedMethodFamily && C.getLocationContext()->inTopFrame()) {
709	static CheckerProgramPointTag Tag(this, "NullReturnedFromNonnull");
710	ExplodedNode *N = C.generateErrorNode(State, Tag: &Tag);
711	if (!N)
712	return;
713
714	SmallString<`256`> SBuf;
715	llvm::raw_svector_ostream OS(SBuf);
716	OS << (RetExpr->getType()->isObjCObjectPointerType() ? "nil" : "Null");
717	OS << " returned from a " << C.getDeclDescription(D) <<
718	" that is expected to return a non-null value";
719	reportBugIfInvariantHolds(OS.str(), ErrorKind::NilReturnedToNonnull,
720	CK_NullReturnedFromNonnull, N, nullptr, C,
721	RetExpr);
722	return;
723	}
724
725	// If null was returned from a non-null function, mark the nullability
726	// invariant as violated even if the diagnostic was suppressed.
727	if (NullReturnedFromNonNull) {
728	State = State ->set<InvariantViolated>(true);
729	C.addTransition(State);
730	return;
731	}
732
733	const MemRegion Region = getTrackRegion(Val: RetSVal);
734	if (!Region)
735	return;
736
737	const NullabilityState *TrackedNullability =
738	State ->get<NullabilityMap>(key: Region);
739	if (TrackedNullability) {
740	Nullability TrackedNullabValue = TrackedNullability->getValue();
741	if (ChecksEnabled[CK_NullableReturnedFromNonnull] &&
742	Nullness != NullConstraint::IsNotNull &&
743	TrackedNullabValue == Nullability::Nullable &&
744	RequiredNullability == Nullability::Nonnull) {
745	static CheckerProgramPointTag Tag(this, "NullableReturnedFromNonnull");
746	ExplodedNode *N = C.addTransition(State, Pred: C.getPredecessor(), Tag: &Tag);
747
748	SmallString<`256`> SBuf;
749	llvm::raw_svector_ostream OS(SBuf);
750	OS << "Nullable pointer is returned from a " << C.getDeclDescription(D) <<
751	" that is expected to return a non-null value";
752
753	reportBugIfInvariantHolds(Msg: OS.str(), Error: ErrorKind::NullableReturnedToNonnull,
754	CK: CK_NullableReturnedFromNonnull, N, Region, C);
755	}
756	return;
757	}
758	if (RequiredNullability == Nullability::Nullable) {
759	State = State ->set<NullabilityMap>(K: Region,
760	E: NullabilityState(RequiredNullability,
761	S));
762	C.addTransition(State);
763	}
764	}
765
766	/// This callback warns when a nullable pointer or a null value is passed to a
767	/// function that expects its argument to be nonnull.
768	void NullabilityChecker::checkPreCall(const CallEvent &Call,
769	CheckerContext &C) const {
770	if (!Call.getDecl())
771	return;
772
773	ProgramStateRef State = C.getState();
774	if (State ->get<InvariantViolated>())
775	return;
776
777	ProgramStateRef OrigState = State;
778
779	unsigned Idx = `0`;
780	for (const ParmVarDecl *Param : Call.parameters()) {
781	if (Param->isParameterPack())
782	break;
783
784	if (Idx >= Call.getNumArgs())
785	break;
786
787	const Expr *ArgExpr = Call.getArgExpr(Index: Idx);
788	auto ArgSVal = Call.getArgSVal(Index: Idx++).getAs<DefinedOrUnknownSVal>();
789	if (!ArgSVal)
790	continue;
791
792	if (!isValidPointerType(Param->getType()) &&
793	!Param->getType()->isReferenceType())
794	continue;
795
796	NullConstraint Nullness = getNullConstraint(Val: *ArgSVal, State);
797
798	Nullability RequiredNullability =
799	getNullabilityAnnotation(Param->getType());
800	Nullability ArgExprTypeLevelNullability =
801	getNullabilityAnnotation(Type: lookThroughImplicitCasts(E: ArgExpr)->getType());
802
803	unsigned ParamIdx = Param->getFunctionScopeIndex() + `1`;
804
805	if (ChecksEnabled[CK_NullPassedToNonnull] &&
806	Nullness == NullConstraint::IsNull &&
807	ArgExprTypeLevelNullability != Nullability::Nonnull &&
808	RequiredNullability == Nullability::Nonnull &&
809	isDiagnosableCall(Call)) {
810	ExplodedNode *N = C.generateErrorNode(State);
811	if (!N)
812	return;
813
814	SmallString<`256`> SBuf;
815	llvm::raw_svector_ostream OS(SBuf);
816	OS << (Param->getType()->isObjCObjectPointerType() ? "nil" : "Null");
817	OS << " passed to a callee that requires a non-null " << ParamIdx
818	<< llvm::getOrdinalSuffix(Val: ParamIdx) << " parameter";
819	reportBugIfInvariantHolds(OS.str(), ErrorKind::NilPassedToNonnull,
820	CK_NullPassedToNonnull, N, nullptr, C, ArgExpr,
821	/SuppressPath=/false);
822	return;
823	}
824
825	const MemRegion Region = getTrackRegion(Val: ArgSVal);
826	if (!Region)
827	continue;
828
829	const NullabilityState *TrackedNullability =
830	State ->get<NullabilityMap>(key: Region);
831
832	if (TrackedNullability) {
833	if (Nullness == NullConstraint::IsNotNull \|\|
834	TrackedNullability->getValue() != Nullability::Nullable)
835	continue;
836
837	if (ChecksEnabled[CK_NullablePassedToNonnull] &&
838	RequiredNullability == Nullability::Nonnull &&
839	isDiagnosableCall(Call)) {
840	ExplodedNode *N = C.addTransition(State);
841	SmallString<`256`> SBuf;
842	llvm::raw_svector_ostream OS(SBuf);
843	OS << "Nullable pointer is passed to a callee that requires a non-null "
844	<< ParamIdx << llvm::getOrdinalSuffix(Val: ParamIdx) << " parameter";
845	reportBugIfInvariantHolds(OS.str(), ErrorKind::NullablePassedToNonnull,
846	CK_NullablePassedToNonnull, N, Region, C,
847	ArgExpr, /SuppressPath=/true);
848	return;
849	}
850	if (ChecksEnabled[CK_NullableDereferenced] &&
851	Param->getType()->isReferenceType()) {
852	ExplodedNode *N = C.addTransition(State);
853	reportBugIfInvariantHolds("Nullable pointer is dereferenced",
854	ErrorKind::NullableDereferenced,
855	CK_NullableDereferenced, N, Region, C,
856	ArgExpr, /SuppressPath=/true);
857	return;
858	}
859	continue;
860	}
861	}
862	if (State != OrigState)
863	C.addTransition(State);
864	}
865
866	/// Suppress the nullability warnings for some functions.
867	void NullabilityChecker::checkPostCall(const CallEvent &Call,
868	CheckerContext &C) const {
869	auto Decl = Call.getDecl();
870	if (!Decl)
871	return;
872	// ObjC Messages handles in a different callback.
873	if (Call.getKind() == CE_ObjCMessage)
874	return;
875	const FunctionType *FuncType = Decl->getFunctionType();
876	if (!FuncType)
877	return;
878	QualType ReturnType = FuncType->getReturnType();
879	if (!isValidPointerType(T: ReturnType))
880	return;
881	ProgramStateRef State = C.getState();
882	if (State ->get<InvariantViolated>())
883	return;
884
885	const MemRegion *Region = getTrackRegion(Val: Call.getReturnValue());
886	if (!Region)
887	return;
888
889	// CG headers are misannotated. Do not warn for symbols that are the results
890	// of CG calls.
891	const SourceManager &SM = C.getSourceManager();
892	StringRef FilePath = SM.getFilename(SpellingLoc: SM.getSpellingLoc(Loc: Decl->getBeginLoc()));
893	if (llvm::sys::path::filename(path: FilePath).starts_with(Prefix: "CG")) {
894	State = State ->set<NullabilityMap>(K: Region, E: Nullability::Contradicted);
895	C.addTransition(State);
896	return;
897	}
898
899	const NullabilityState *TrackedNullability =
900	State ->get<NullabilityMap>(key: Region);
901
902	// ObjCMessageExpr gets the actual type through
903	// Sema::getMessageSendResultType, instead of using the return type of
904	// MethodDecl directly. The final type is generated by considering the
905	// nullability of receiver and MethodDecl together. Thus, The type of
906	// ObjCMessageExpr is prefer.
907	if (const Expr *E = Call.getOriginExpr())
908	ReturnType = E->getType();
909
910	if (!TrackedNullability &&
911	getNullabilityAnnotation(Type: ReturnType) == Nullability::Nullable) {
912	State = State ->set<NullabilityMap>(K: Region, E: Nullability::Nullable);
913	C.addTransition(State);
914	}
915	}
916
917	static Nullability getReceiverNullability(const ObjCMethodCall &M,
918	ProgramStateRef State) {
919	if (M.isReceiverSelfOrSuper()) {
920	// For super and super class receivers we assume that the receiver is
921	// nonnull.
922	return Nullability::Nonnull;
923	}
924	// Otherwise look up nullability in the state.
925	SVal Receiver = M.getReceiverSVal();
926	if (auto DefOrUnknown = Receiver.getAs<DefinedOrUnknownSVal>()) {
927	// If the receiver is constrained to be nonnull, assume that it is nonnull
928	// regardless of its type.
929	NullConstraint Nullness = getNullConstraint(Val: *DefOrUnknown, State);
930	if (Nullness == NullConstraint::IsNotNull)
931	return Nullability::Nonnull;
932	}
933	auto ValueRegionSVal = Receiver.getAs<loc::MemRegionVal>();
934	if (ValueRegionSVal) {
935	const MemRegion *SelfRegion = ValueRegionSVal ->getRegion();
936	assert(SelfRegion);
937
938	const NullabilityState *TrackedSelfNullability =
939	State ->get<NullabilityMap>(key: SelfRegion);
940	if (TrackedSelfNullability)
941	return TrackedSelfNullability->getValue();
942	}
943	return Nullability::Unspecified;
944	}
945
946	// The return value of a property access is typically a temporary value which
947	// will not be tracked in a persistent manner by the analyzer. We use
948	// evalAssume() in order to immediately record constraints on those temporaries
949	// at the time they are imposed (e.g. by a nil-check conditional).
950	ProgramStateRef NullabilityChecker::evalAssume(ProgramStateRef State, SVal Cond,
951	bool Assumption) const {
952	PropertyAccessesMapTy PropertyAccesses = State ->get<PropertyAccessesMap>();
953	for (auto [PropKey, PropVal] : PropertyAccesses) {
954	if (!PropVal.isConstrainedNonnull) {
955	ConditionTruthVal IsNonNull = State ->isNonNull(V: PropVal.Value);
956	if (IsNonNull.isConstrainedTrue()) {
957	ConstrainedPropertyVal Replacement = PropVal;
958	Replacement.isConstrainedNonnull = true;
959	State = State ->set<PropertyAccessesMap>(K: PropKey, E: Replacement);
960	} else if (IsNonNull.isConstrainedFalse()) {
961	// Space optimization: no point in tracking constrained-null cases
962	State = State ->remove<PropertyAccessesMap>(K: PropKey);
963	}
964	}
965	}
966
967	return State;
968	}
969
970	/// Calculate the nullability of the result of a message expr based on the
971	/// nullability of the receiver, the nullability of the return value, and the
972	/// constraints.
973	void NullabilityChecker::checkPostObjCMessage(const ObjCMethodCall &M,
974	CheckerContext &C) const {
975	auto Decl = M.getDecl();
976	if (!Decl)
977	return;
978	QualType RetType = Decl->getReturnType();
979	if (!isValidPointerType(T: RetType))
980	return;
981
982	ProgramStateRef State = C.getState();
983	if (State ->get<InvariantViolated>())
984	return;
985
986	const MemRegion *ReturnRegion = getTrackRegion(Val: M.getReturnValue());
987	if (!ReturnRegion)
988	return;
989
990	auto Interface = Decl->getClassInterface();
991	auto Name = Interface ? Interface->getName() : "";
992	// In order to reduce the noise in the diagnostics generated by this checker,
993	// some framework and programming style based heuristics are used. These
994	// heuristics are for Cocoa APIs which have NS prefix.
995	if (Name.starts_with("NS")) {
996	// Developers rely on dynamic invariants such as an item should be available
997	// in a collection, or a collection is not empty often. Those invariants can
998	// not be inferred by any static analysis tool. To not to bother the users
999	// with too many false positives, every item retrieval function should be
1000	// ignored for collections. The instance methods of dictionaries in Cocoa
1001	// are either item retrieval related or not interesting nullability wise.
1002	// Using this fact, to keep the code easier to read just ignore the return
1003	// value of every instance method of dictionaries.
1004	if (M.isInstanceMessage() && Name.contains("Dictionary")) {
1005	State =
1006	State ->set<NullabilityMap>(K: ReturnRegion, E: Nullability::Contradicted);
1007	C.addTransition(State);
1008	return;
1009	}
1010	// For similar reasons ignore some methods of Cocoa arrays.
1011	StringRef FirstSelectorSlot = M.getSelector().getNameForSlot(argIndex: `0`);
1012	if (Name.contains("Array") &&
1013	(FirstSelectorSlot == "firstObject" \|\|
1014	FirstSelectorSlot == "lastObject")) {
1015	State =
1016	State ->set<NullabilityMap>(K: ReturnRegion, E: Nullability::Contradicted);
1017	C.addTransition(State);
1018	return;
1019	}
1020
1021	// Encoding related methods of string should not fail when lossless
1022	// encodings are used. Using lossless encodings is so frequent that ignoring
1023	// this class of methods reduced the emitted diagnostics by about 30% on
1024	// some projects (and all of that was false positives).
1025	if (Name.contains("String")) {
1026	for (auto *Param : M.parameters()) {
1027	if (Param->getName() == "encoding") {
1028	State = State ->set<NullabilityMap>(K: ReturnRegion,
1029	E: Nullability::Contradicted);
1030	C.addTransition(State);
1031	return;
1032	}
1033	}
1034	}
1035	}
1036
1037	const ObjCMessageExpr *Message = M.getOriginExpr();
1038	Nullability SelfNullability = getReceiverNullability(M, State);
1039
1040	const NullabilityState *NullabilityOfReturn =
1041	State ->get<NullabilityMap>(key: ReturnRegion);
1042
1043	if (NullabilityOfReturn) {
1044	// When we have a nullability tracked for the return value, the nullability
1045	// of the expression will be the most nullable of the receiver and the
1046	// return value.
1047	Nullability RetValTracked = NullabilityOfReturn->getValue();
1048	Nullability ComputedNullab =
1049	getMostNullable(Lhs: RetValTracked, Rhs: SelfNullability);
1050	if (ComputedNullab != RetValTracked &&
1051	ComputedNullab != Nullability::Unspecified) {
1052	const Stmt *NullabilitySource =
1053	ComputedNullab == RetValTracked
1054	? NullabilityOfReturn->getNullabilitySource()
1055	: Message->getInstanceReceiver();
1056	State = State ->set<NullabilityMap>(
1057	K: ReturnRegion, E: NullabilityState (ComputedNullab, NullabilitySource));
1058	C.addTransition(State);
1059	}
1060	return;
1061	}
1062
1063	// No tracked information. Use static type information for return value.
1064	Nullability RetNullability = getNullabilityAnnotation(Message->getType());
1065
1066	// Properties might be computed, which means the property value could
1067	// theoretically change between calls even in commonly-observed cases like
1068	// this:
1069	//
1070	// if (foo.prop) { // ok, it's nonnull here...
1071	// [bar doStuffWithNonnullVal:foo.prop]; // ...but what about
1072	// here?
1073	// }
1074	//
1075	// If the property is nullable-annotated, a naive analysis would lead to many
1076	// false positives despite the presence of probably-correct nil-checks. To
1077	// reduce the false positive rate, we maintain a history of the most recently
1078	// observed property value. For each property access, if the prior value has
1079	// been constrained to be not nil then we will conservatively assume that the
1080	// next access can be inferred as nonnull.
1081	if (RetNullability != Nullability::Nonnull &&
1082	M.getMessageKind() == OCM_PropertyAccess && !C.wasInlined) {
1083	bool LookupResolved = false;
1084	if (const MemRegion *ReceiverRegion = getTrackRegion(Val: M.getReceiverSVal())) {
1085	if (const IdentifierInfo *Ident =
1086	M.getSelector().getIdentifierInfoForSlot(argIndex: `0`)) {
1087	LookupResolved = true;
1088	ObjectPropPair Key = std::make_pair(x&: ReceiverRegion, y&: Ident);
1089	const ConstrainedPropertyVal *PrevPropVal =
1090	State ->get<PropertyAccessesMap>(key: Key);
1091	if (PrevPropVal && PrevPropVal->isConstrainedNonnull) {
1092	RetNullability = Nullability::Nonnull;
1093	} else {
1094	// If a previous property access was constrained as nonnull, we hold
1095	// on to that constraint (effectively inferring that all subsequent
1096	// accesses on that code path can be inferred as nonnull). If the
1097	// previous property access was not* constrained as nonnull, then*
1098	// let's throw it away in favor of keeping the SVal associated with
1099	// this more recent access.
1100	if (auto ReturnSVal =
1101	M.getReturnValue().getAs<DefinedOrUnknownSVal>()) {
1102	State = State ->set<PropertyAccessesMap>(
1103	K: Key, E: ConstrainedPropertyVal (*ReturnSVal));
1104	}
1105	}
1106	}
1107	}
1108
1109	if (!LookupResolved) {
1110	// Fallback: err on the side of suppressing the false positive.
1111	RetNullability = Nullability::Nonnull;
1112	}
1113	}
1114
1115	Nullability ComputedNullab = getMostNullable(Lhs: RetNullability, Rhs: SelfNullability);
1116	if (ComputedNullab == Nullability::Nullable) {
1117	const Stmt *NullabilitySource = ComputedNullab == RetNullability
1118	? Message
1119	: Message->getInstanceReceiver();
1120	State = State ->set<NullabilityMap>(
1121	K: ReturnRegion, E: NullabilityState (ComputedNullab, NullabilitySource));
1122	C.addTransition(State);
1123	}
1124	}
1125
1126	/// Explicit casts are trusted. If there is a disagreement in the nullability
1127	/// annotations in the destination and the source or '0' is casted to nonnull
1128	/// track the value as having contraditory nullability. This will allow users to
1129	/// suppress warnings.
1130	void NullabilityChecker::checkPostStmt(const ExplicitCastExpr *CE,
1131	CheckerContext &C) const {
1132	QualType OriginType = CE->getSubExpr()->getType();
1133	QualType DestType = CE->getType();
1134	if (!isValidPointerType(T: OriginType))
1135	return;
1136	if (!isValidPointerType(T: DestType))
1137	return;
1138
1139	ProgramStateRef State = C.getState();
1140	if (State ->get<InvariantViolated>())
1141	return;
1142
1143	Nullability DestNullability = getNullabilityAnnotation(Type: DestType);
1144
1145	// No explicit nullability in the destination type, so this cast does not
1146	// change the nullability.
1147	if (DestNullability == Nullability::Unspecified)
1148	return;
1149
1150	auto RegionSVal = C.getSVal(CE).getAs<DefinedOrUnknownSVal>();
1151	const MemRegion Region = getTrackRegion(Val: RegionSVal);
1152	if (!Region)
1153	return;
1154
1155	// When 0 is converted to nonnull mark it as contradicted.
1156	if (DestNullability == Nullability::Nonnull) {
1157	NullConstraint Nullness = getNullConstraint(*RegionSVal, State);
1158	if (Nullness == NullConstraint::IsNull) {
1159	State = State ->set<NullabilityMap>(K: Region, E: Nullability::Contradicted);
1160	C.addTransition(State);
1161	return;
1162	}
1163	}
1164
1165	const NullabilityState *TrackedNullability =
1166	State ->get<NullabilityMap>(key: Region);
1167
1168	if (!TrackedNullability) {
1169	if (DestNullability != Nullability::Nullable)
1170	return;
1171	State = State ->set<NullabilityMap>(K: Region,
1172	E: NullabilityState(DestNullability, CE));
1173	C.addTransition(State);
1174	return;
1175	}
1176
1177	if (TrackedNullability->getValue() != DestNullability &&
1178	TrackedNullability->getValue() != Nullability::Contradicted) {
1179	State = State ->set<NullabilityMap>(K: Region, E: Nullability::Contradicted);
1180	C.addTransition(State);
1181	}
1182	}
1183
1184	/// For a given statement performing a bind, attempt to syntactically
1185	/// match the expression resulting in the bound value.
1186	static const Expr * matchValueExprForBind(const Stmt *S) {
1187	// For `x = e` the value expression is the right-hand side.
1188	if (auto *BinOp = dyn_cast<BinaryOperator>(Val: S)) {
1189	if (BinOp->getOpcode() == BO_Assign)
1190	return BinOp->getRHS();
1191	}
1192
1193	// For `int x = e` the value expression is the initializer.
1194	if (auto *DS = dyn_cast<DeclStmt>(Val: S)) {
1195	if (DS->isSingleDecl()) {
1196	auto *VD = dyn_cast<VarDecl>(Val: DS->getSingleDecl());
1197	if (!VD)
1198	return nullptr;
1199
1200	if (const Expr *Init = VD->getInit())
1201	return Init;
1202	}
1203	}
1204
1205	return nullptr;
1206	}
1207
1208	/// Returns true if \param S is a DeclStmt for a local variable that
1209	/// ObjC automated reference counting initialized with zero.
1210	static bool isARCNilInitializedLocal(CheckerContext &C, const Stmt *S) {
1211	// We suppress diagnostics for ARC zero-initialized _Nonnull locals. This
1212	// prevents false positives when a _Nonnull local variable cannot be
1213	// initialized with an initialization expression:
1214	// NSString _Nonnull s; // no-warning*
1215	// @autoreleasepool {
1216	// s = ...
1217	// }
1218	//
1219	// FIXME: We should treat implicitly zero-initialized _Nonnull locals as
1220	// uninitialized in Sema's UninitializedValues analysis to warn when a use of
1221	// the zero-initialized definition will unexpectedly yield nil.
1222
1223	// Locals are only zero-initialized when automated reference counting
1224	// is turned on.
1225	if (!C.getASTContext().getLangOpts().ObjCAutoRefCount)
1226	return false;
1227
1228	auto *DS = dyn_cast<DeclStmt>(Val: S);
1229	if (!DS \|\| !DS->isSingleDecl())
1230	return false;
1231
1232	auto *VD = dyn_cast<VarDecl>(Val: DS->getSingleDecl());
1233	if (!VD)
1234	return false;
1235
1236	// Sema only zero-initializes locals with ObjCLifetimes.
1237	if(!VD->getType().getQualifiers().hasObjCLifetime())
1238	return false;
1239
1240	const Expr *Init = VD->getInit();
1241	assert(Init && "ObjC local under ARC without initializer");
1242
1243	// Return false if the local is explicitly initialized (e.g., with '= nil').
1244	if (!isa<ImplicitValueInitExpr>(Val: Init))
1245	return false;
1246
1247	return true;
1248	}
1249
1250	/// Propagate the nullability information through binds and warn when nullable
1251	/// pointer or null symbol is assigned to a pointer with a nonnull type.
1252	void NullabilityChecker::checkBind(SVal L, SVal V, const Stmt *S,
1253	CheckerContext &C) const {
1254	const TypedValueRegion *TVR =
1255	dyn_cast_or_null<TypedValueRegion>(Val: L.getAsRegion());
1256	if (!TVR)
1257	return;
1258
1259	QualType LocType = TVR->getValueType();
1260	if (!isValidPointerType(T: LocType))
1261	return;
1262
1263	ProgramStateRef State = C.getState();
1264	if (State ->get<InvariantViolated>())
1265	return;
1266
1267	auto ValDefOrUnknown = V.getAs<DefinedOrUnknownSVal>();
1268	if (!ValDefOrUnknown)
1269	return;
1270
1271	NullConstraint RhsNullness = getNullConstraint(Val: *ValDefOrUnknown, State);
1272
1273	Nullability ValNullability = Nullability::Unspecified;
1274	if (SymbolRef Sym = ValDefOrUnknown ->getAsSymbol())
1275	ValNullability = getNullabilityAnnotation(Type: Sym->getType());
1276
1277	Nullability LocNullability = getNullabilityAnnotation(Type: LocType);
1278
1279	// If the type of the RHS expression is nonnull, don't warn. This
1280	// enables explicit suppression with a cast to nonnull.
1281	Nullability ValueExprTypeLevelNullability = Nullability::Unspecified;
1282	const Expr *ValueExpr = matchValueExprForBind(S);
1283	if (ValueExpr) {
1284	ValueExprTypeLevelNullability =
1285	getNullabilityAnnotation(Type: lookThroughImplicitCasts(E: ValueExpr)->getType());
1286	}
1287
1288	bool NullAssignedToNonNull = (LocNullability == Nullability::Nonnull &&
1289	RhsNullness == NullConstraint::IsNull);
1290	if (ChecksEnabled[CK_NullPassedToNonnull] && NullAssignedToNonNull &&
1291	ValNullability != Nullability::Nonnull &&
1292	ValueExprTypeLevelNullability != Nullability::Nonnull &&
1293	!isARCNilInitializedLocal(C, S)) {
1294	static CheckerProgramPointTag Tag(this, "NullPassedToNonnull");
1295	ExplodedNode *N = C.generateErrorNode(State, Tag: &Tag);
1296	if (!N)
1297	return;
1298
1299
1300	const Stmt *ValueStmt = S;
1301	if (ValueExpr)
1302	ValueStmt = ValueExpr;
1303
1304	SmallString<`256`> SBuf;
1305	llvm::raw_svector_ostream OS(SBuf);
1306	OS << (LocType ->isObjCObjectPointerType() ? "nil" : "Null");
1307	OS << " assigned to a pointer which is expected to have non-null value";
1308	reportBugIfInvariantHolds(Msg: OS.str(), Error: ErrorKind::NilAssignedToNonnull,
1309	CK: CK_NullPassedToNonnull, N, Region: nullptr, C, ValueExpr: ValueStmt);
1310	return;
1311	}
1312
1313	// If null was returned from a non-null function, mark the nullability
1314	// invariant as violated even if the diagnostic was suppressed.
1315	if (NullAssignedToNonNull) {
1316	State = State ->set<InvariantViolated>(true);
1317	C.addTransition(State);
1318	return;
1319	}
1320
1321	// Intentionally missing case: '0' is bound to a reference. It is handled by
1322	// the DereferenceChecker.
1323
1324	const MemRegion ValueRegion = getTrackRegion(Val: ValDefOrUnknown);
1325	if (!ValueRegion)
1326	return;
1327
1328	const NullabilityState *TrackedNullability =
1329	State ->get<NullabilityMap>(key: ValueRegion);
1330
1331	if (TrackedNullability) {
1332	if (RhsNullness == NullConstraint::IsNotNull \|\|
1333	TrackedNullability->getValue() != Nullability::Nullable)
1334	return;
1335	if (ChecksEnabled[CK_NullablePassedToNonnull] &&
1336	LocNullability == Nullability::Nonnull) {
1337	static CheckerProgramPointTag Tag(this, "NullablePassedToNonnull");
1338	ExplodedNode *N = C.addTransition(State, Pred: C.getPredecessor(), Tag: &Tag);
1339	reportBugIfInvariantHolds(Msg: "Nullable pointer is assigned to a pointer "
1340	"which is expected to have non-null value",
1341	Error: ErrorKind::NullableAssignedToNonnull,
1342	CK: CK_NullablePassedToNonnull, N, Region: ValueRegion, C);
1343	}
1344	return;
1345	}
1346
1347	const auto *BinOp = dyn_cast<BinaryOperator>(Val: S);
1348
1349	if (ValNullability == Nullability::Nullable) {
1350	// Trust the static information of the value more than the static
1351	// information on the location.
1352	const Stmt *NullabilitySource = BinOp ? BinOp->getRHS() : S;
1353	State = State ->set<NullabilityMap>(
1354	K: ValueRegion, E: NullabilityState (ValNullability, NullabilitySource));
1355	C.addTransition(State);
1356	return;
1357	}
1358
1359	if (LocNullability == Nullability::Nullable) {
1360	const Stmt *NullabilitySource = BinOp ? BinOp->getLHS() : S;
1361	State = State ->set<NullabilityMap>(
1362	K: ValueRegion, E: NullabilityState (LocNullability, NullabilitySource));
1363	C.addTransition(State);
1364	}
1365	}
1366
1367	void NullabilityChecker::printState(raw_ostream &Out, ProgramStateRef State,
1368	const char NL, const* char Sep) const* {
1369
1370	NullabilityMapTy B = State ->get<NullabilityMap>();
1371
1372	if (State ->get<InvariantViolated>())
1373	Out << Sep << NL
1374	<< "Nullability invariant was violated, warnings suppressed." << NL;
1375
1376	if (B.isEmpty())
1377	return;
1378
1379	if (!State ->get<InvariantViolated>())
1380	Out << Sep << NL;
1381
1382	for (auto [Region, State] : B) {
1383	Out << Region << " : ";
1384	State.print(Out);
1385	Out << NL;
1386	}
1387	}
1388
1389	void ento::registerNullabilityBase(CheckerManager &mgr) {
1390	mgr.registerChecker<NullabilityChecker>();
1391	}
1392
1393	bool ento::shouldRegisterNullabilityBase(const CheckerManager &mgr) {
1394	return true;
1395	}
1396
1397	#define REGISTER_CHECKER(name, trackingRequired) \
1398	void ento::register##name##Checker(CheckerManager &mgr) { \
1399	NullabilityChecker *checker = mgr.getChecker<NullabilityChecker>(); \
1400	checker->ChecksEnabled[NullabilityChecker::CK_##name] = true; \
1401	checker->CheckNames[NullabilityChecker::CK_##name] = \
1402	mgr.getCurrentCheckerName(); \
1403	checker->NeedTracking = checker->NeedTracking \|\| trackingRequired; \
1404	checker->NoDiagnoseCallsToSystemHeaders = \
1405	checker->NoDiagnoseCallsToSystemHeaders \|\| \
1406	mgr.getAnalyzerOptions().getCheckerBooleanOption( \
1407	checker, "NoDiagnoseCallsToSystemHeaders", true); \
1408	} \
1409	\
1410	bool ento::shouldRegister##name##Checker(const CheckerManager &mgr) { \
1411	return true; \
1412	}
1413
1414	// The checks are likely to be turned on by default and it is possible to do
1415	// them without tracking any nullability related information. As an optimization
1416	// no nullability information will be tracked when only these two checks are
1417	// enables.
1418	REGISTER_CHECKER(NullPassedToNonnull, false)
1419	REGISTER_CHECKER(NullReturnedFromNonnull, false)
1420
1421	REGISTER_CHECKER(NullableDereferenced, true)
1422	REGISTER_CHECKER(NullablePassedToNonnull, true)
1423	REGISTER_CHECKER(NullableReturnedFromNonnull, true)
1424

source code of clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp