[clang] [clang][nullability] allow _Nonnull etc on nullable class types (PR #82705)

[Sam McCall via cfe-commits]

================
@@ -215,6 +215,18 @@ void Sema::inferGslOwnerPointerAttribute(CXXRecordDecl *Record) {
   inferGslPointerAttribute(Record, Record);
 }
 
+void Sema::inferNullableClassAttribute(CXXRecordDecl *CRD) {
+  static llvm::StringSet<> Nullable{
+      "auto_ptr",         "shared_ptr", "unique_ptr",         "exception_ptr",
----------------
sam-mccall wrote:

I don't think our nullability concept is a good match for weak pointers - they don't behave like other pointers.

If a managed object is shared across threads, then the nullable/non-null distinction isn't useful. Allowing it to be used in contracts is probably harmful (attractive nuisance & breaks analyses that treat nullable objects generically). Since pointers may become null at any point without running any code, implementations should always treat them as nullable, generic static analysis gives incorrect results, and dynamic checks are racy. Threads are involved reasonably often and it's not locally possible to tell.

In the absence of threads, `weak_ptr<T>`s that must not be null should almost always be `shared_ptr<T> _Nonnull` instead, and probably are. (This isn't a strong objection: `T* _Nonnull` is useful despite `T&` existing - but raw pointers are *way* more common than weak ones).

https://github.com/llvm/llvm-project/pull/82705