[PATCH] D152269: [StaticAnalyzer] Fix false negative on NilArgChecker when creating literal object

tripleCC via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Tue Jun 6 19:51:23 PDT 2023 

tripleCC added inline comments.


================
Comment at: clang/lib/StaticAnalyzer/Checkers/BasicObjCFoundationChecks.cpp:151-164
+  auto ArgSVal = C.getSVal(E).getAs<DefinedOrUnknownSVal>();
+  if (!ArgSVal)
+    return;
+
+  ProgramStateRef StNonNull, StNull;
+  std::tie(StNonNull, StNull) = State->assume(*ArgSVal);
+
----------------
steakhal wrote:
> steakhal wrote:
> > This means that we would raise an issue if `ArgSVal` might be null. We usually warn if we are sure there is a bug, aka. if it must be null. Consequently, the condition should be rather `StNull && !StNonNull` instead of just `StNull`.
> Ah I see now. My bad, thats the whole point of this :D
Not exactly, this meas that if ArgSVal might be null, we dispatch an "implicit" null event to NullabilityChecker. NullabilityChecker would emit a warning if the pointer is nullable  in `checkEvent` function:

```c++
/// This callback triggers when a pointer is dereferenced and the analyzer does
/// not know anything about the value of that pointer. When that pointer is
/// nullable, this code emits a warning.
void NullabilityChecker::checkEvent(ImplicitNullDerefEvent Event) const {
  if (Event.SinkNode->getState()->get<InvariantViolated>())
    return;

  const MemRegion *Region =
      getTrackRegion(Event.Location, /*CheckSuperRegion=*/true);
  if (!Region)
    return;

  ProgramStateRef State = Event.SinkNode->getState();
  const NullabilityState *TrackedNullability =
      State->get<NullabilityMap>(Region);

  if (!TrackedNullability)
    return;

  if (ChecksEnabled[CK_NullableDereferenced] &&
      TrackedNullability->getValue() == Nullability::Nullable) {
    BugReporter &BR = *Event.BR;
    // Do not suppress errors on defensive code paths, because dereferencing
    // a nullable pointer is always an error.
    if (Event.IsDirectDereference)
      reportBug("Nullable pointer is dereferenced",
                ErrorKind::NullableDereferenced, CK_NullableDereferenced,
                Event.SinkNode, Region, BR);
    else {
      reportBug("Nullable pointer is passed to a callee that requires a "
                "non-null",
                ErrorKind::NullablePassedToNonnull, CK_NullableDereferenced,
                Event.SinkNode, Region, BR);
    }
  }
}
```


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D152269/new/

https://reviews.llvm.org/D152269

More information about the cfe-commits mailing list