Use the dataflow analysis framework to propagate the nullability of expressions.
Consider the following code:
```
template<typename T0, typename T1>
struct Pair{
T0 f;
T1 s;
};
void target(Pair<int*, int * _Nullable> p) {
*p.f;
}
```
We want to know whether `*p.f` is a null-safe operation. If `p` were a concrete structure, it would suffice to look at its type. However, since p is not concrete, its type signature has no nullability annotations: all sugar has been stripped away during template instantiation.
The base expression of `p.f` is `p`. If we look at the AST of `p.f`, we will find a `DeclRefExpr` of `p`, which looks roughly like this:
```DeclRefExpr 0x55... <col:x> 'Pair<int *, int * _Nullable>':'Pair<int *, int *>' lvalue ParmVar 0x55... 'p' 'Pair<int *, int * _Nullable>':'Pair<int *, int *>'```
Note that the nullability annotation that we wrote when declaring `p` is present in the `DeclRefExpr`. What is the nullability of `p`? Well, we can go over all the pointer types “inside” `p`'s `DeclRefExpr` and keep track of each of their nullabilities. We could even go ahead and store this information in some kind of data structure. Here, `p` is a `Pair` specialization with one non-annotated pointer and one pointer annotated as nullable. We can thus construct a *nullability vector* for `p` that looks like this: `{Unknown, _Nullable}`.
If we know that `p` has nullability `{Unknown, _Nullable}`, and if we know that the return type of `.f` is the first type argument of `p`, we can find that the nullability of `p.f` is `Unknown`, so the dereference above is safe.
Up until now, we have been uncovering the nullability of class template specializations as described above: we would find the expression's "base type" (in the case above, a `DeclRefExpr`), and use that to find the expression's nullability.
Now, consider a slightly more complex member access:
```
template<typename T0, typename T1>
struct Pair{
T0 f;
T1 s;
};
void target(Pair<Pair<int*, int * _Nullable>, int* _Nonnull> p) {
*p.f.s;
}
```
Again, we would want to look into the base expression of `p.f.s` to find its nullability. However, the base of `p.f.s` is `p.f`, which is itself also a `MemberExpr`. Like `.s`, `.f` does not contain type sugar. We would thus have to go one level further to find the `DeclRefExpr` of `p`. From there, we can compute the nullability of `p.f`, and use that to compute the nullability of `p.f.s`.
To search for the nullability of a templated expression as described above, we could recursively pattern match over different expression shapes. From a given expression, we would dive all the way down to its `Decl`, read its nullability, and then move up the AST, at each stage using the nullability of the "previous" expression to compute that of the one being visited. This is what we have been doing for a limited range of expression shapes. However, this process of traversing an AST in post-order is already done by our static analysis. Therefore, we could add this construction of nullability annotations as a step in relevant transfer functions. This is what this CL introduces.
Now, when processing a CFG element, we do the following:
1) If the element is a `DeclRefExpr` (e.g., `p`), construct its nullability vector from the type annotations (in this case, `{Unknown, _Nullable, _Nonnull}`), and store that in the `ExprToNullability` map in the dataflow lattice.
2) If the element is a `MemberExpr` (e.g., `.f` or `.s`), find the element’s base (in this case, `p` and `.f`, respectively), search for its nullability in the lattice maps, and use information about its type and the base type to construct its own nullability vector (`{Unknown, _Nullable}` and `{_Nullable}`, respectively). Store this vector in the `ExprToNullability` map.
This allows us to find the nullability of expressions whose base types have been desugared, without having to pattern match over specific expression shapes.
We currently process `MemberExpr` and `DeclRefExpr` CFG elements as defined above, but such a construction would also be useful for other expression types. For example, adding support for `MemberCallExpr`s would allow us to correctly assess the nullability of concatenated member *function* calls, such as `x.getArg0().getArg1()`.
PiperOrigin-RevId: 496120804
diff --git a/nullability_verification/BUILD b/nullability_verification/BUILD
index d15de47..e28cfaf 100644
--- a/nullability_verification/BUILD
+++ b/nullability_verification/BUILD
@@ -3,7 +3,10 @@
cc_library(
name = "pointer_nullability_lattice",
hdrs = ["pointer_nullability_lattice.h"],
- deps = ["@llvm-project//clang:analysis"],
+ deps = [
+ "@absl//absl/container:flat_hash_map",
+ "@llvm-project//clang:analysis",
+ ],
)
cc_library(
diff --git a/nullability_verification/pointer_nullability_analysis.cc b/nullability_verification/pointer_nullability_analysis.cc
index 9c9e9ad..eb8a639 100644
--- a/nullability_verification/pointer_nullability_analysis.cc
+++ b/nullability_verification/pointer_nullability_analysis.cc
@@ -127,6 +127,18 @@
Visit(TA.getAsType());
}
}
+
+ void VisitRecordType(const RecordType* RT) {
+ if (auto* CTSD = dyn_cast<ClassTemplateSpecializationDecl>(RT->getDecl())) {
+ for (auto& TA : CTSD->getTemplateArgs().asArray()) {
+ Visit(TA);
+ }
+ }
+ }
+
+ void VisitTemplateSpecializationType(const TemplateSpecializationType* TST) {
+ Visit(TST->desugar());
+ }
};
unsigned countPointersInType(QualType T) {
@@ -164,13 +176,22 @@
ArrayRef<NullabilityKind> BaseNullabilityAnnotations, QualType BaseType) {
unsigned PointerCount = 0;
unsigned ArgIndex = STTPT->getIndex();
- if (auto TST = BaseType->getAs<TemplateSpecializationType>()) {
- for (auto TA : TST->template_arguments().take_front(ArgIndex)) {
- PointerCount += countPointersInType(TA);
+ if (auto RT = BaseType->getAs<RecordType>()) {
+ if (auto CTSD = dyn_cast<ClassTemplateSpecializationDecl>(RT->getDecl())) {
+ auto TemplateArgs = CTSD->getTemplateArgs().asArray();
+ for (auto TA : TemplateArgs.take_front(ArgIndex)) {
+ PointerCount += countPointersInType(TA);
+ }
+ unsigned SliceSize = countPointersInType(TemplateArgs[ArgIndex]);
+ if (BaseNullabilityAnnotations.size() < PointerCount + SliceSize) {
+ // TODO: Currently, BaseNullabilityAnnotations can be erroneously empty
+ // due to lack of expression coverage. Use the dataflow lattice to
+ // retrieve correct base type annotations. Then, remove this fallback.
+ return {};
+ } else {
+ return BaseNullabilityAnnotations.slice(PointerCount, SliceSize);
+ }
}
- unsigned SliceSize =
- countPointersInType(TST->template_arguments()[ArgIndex]);
- return BaseNullabilityAnnotations.slice(PointerCount, SliceSize);
}
return ArrayRef<NullabilityKind>();
}
@@ -264,11 +285,11 @@
QualType getBaseType(const Expr* E) {
if (auto ME = dyn_cast<MemberExpr>(E)) {
- return getBaseType(ME->getBase());
+ return ME->getBase()->getType();
} else if (auto MC = dyn_cast<CXXMemberCallExpr>(E)) {
- return getBaseType(MC->getImplicitObjectArgument());
- } else if (auto DRE = dyn_cast<DeclRefExpr>(E)) {
- return DRE->getType();
+ return MC->getImplicitObjectArgument()->getType();
+ } else if (auto ICE = dyn_cast<ImplicitCastExpr>(E)) {
+ return ICE->getSubExpr()->getType();
}
// TODO: Handle other expression shapes and base types.
else {
@@ -299,30 +320,45 @@
return NullabilityAnnotations[0];
}
-NullabilityKind getPointerNullability(const Expr* E, ASTContext& Ctx) {
+NullabilityKind getPointerNullability(const Expr* E, ASTContext& Ctx,
+ PointerNullabilityAnalysis::Lattice& L) {
QualType ExprType = E->getType();
- NullabilityKind Nullability =
- ExprType->getNullability(Ctx).value_or(NullabilityKind::Unspecified);
- if (Nullability == NullabilityKind::Unspecified) {
- // If the type does not contain nullability information, try to gather it
- // from the expression itself.
+ Optional<NullabilityKind> Nullability = ExprType->getNullability(Ctx);
+
+ // If the expression's type does not contain nullability information, it may
+ // be a template instantiation. Look up the nullability in the
+ // `ExprToNullability` map.
+ if (Nullability.value_or(NullabilityKind::Unspecified) ==
+ NullabilityKind::Unspecified) {
+ if (auto MaybeNullability = L.getExprNullability(E)) {
+ if (!MaybeNullability->empty()) {
+ // Return the nullability of the topmost pointer in the type.
+ Nullability = (*MaybeNullability)[0];
+ }
+ }
+ }
+ // TODO: Expand the dataflow analysis algorithm to propagate the nullability
+ // of more expression shapes (e.g., method calls), and then delete
+ // getNullabilityFromTemplatedExpression.
+ if (!Nullability.has_value()) {
Nullability = getNullabilityFromTemplatedExpression(E);
}
- return Nullability;
+ return Nullability.value_or(NullabilityKind::Unspecified);
}
void initPointerFromAnnotations(PointerValue& PointerVal, const Expr* E,
- Environment& Env, ASTContext& Ctx) {
- NullabilityKind Nullability = getPointerNullability(E, Ctx);
+ TransferState<PointerNullabilityLattice>& State,
+ ASTContext& Ctx) {
+ NullabilityKind Nullability = getPointerNullability(E, Ctx, State.Lattice);
switch (Nullability) {
case NullabilityKind::NonNull:
- initNotNullPointer(PointerVal, Env);
+ initNotNullPointer(PointerVal, State.Env);
break;
case NullabilityKind::Nullable:
- initNullablePointer(PointerVal, Env);
+ initNullablePointer(PointerVal, State.Env);
break;
default:
- initUnknownPointer(PointerVal, Env);
+ initUnknownPointer(PointerVal, State.Env);
}
}
@@ -346,7 +382,7 @@
const MatchFinder::MatchResult& Result,
TransferState<PointerNullabilityLattice>& State) {
if (auto* PointerVal = getPointerValueFromExpr(PointerExpr, State.Env)) {
- initPointerFromAnnotations(*PointerVal, PointerExpr, State.Env,
+ initPointerFromAnnotations(*PointerVal, PointerExpr, State,
*Result.Context);
}
}
@@ -422,10 +458,51 @@
State.Env.setValue(CallExprLoc, *PointerVal);
State.Env.setStorageLocation(*CallExpr, CallExprLoc);
}
- initPointerFromAnnotations(*PointerVal, CallExpr, State.Env, *Result.Context);
+ initPointerFromAnnotations(*PointerVal, CallExpr, State, *Result.Context);
}
-auto buildTransferer() {
+void transferDeclRefExpr(const DeclRefExpr* DRE,
+ const MatchFinder::MatchResult& MR,
+ TransferState<PointerNullabilityLattice>& State) {
+ State.Lattice.insertExprNullabilityIfAbsent(
+ DRE, [&]() { return getNullabilityAnnotationsFromType(DRE->getType()); });
+ if (DRE->getType()->isPointerType()) {
+ transferPointer(DRE, MR, State);
+ }
+}
+
+void transferMemberExpr(const MemberExpr* ME,
+ const MatchFinder::MatchResult& MR,
+ TransferState<PointerNullabilityLattice>& State) {
+ State.Lattice.insertExprNullabilityIfAbsent(ME, [&]() {
+ auto BaseNullability = State.Lattice.getExprNullability(ME->getBase());
+ if (BaseNullability.has_value()) {
+ return substituteNullabilityAnnotationsInTemplate(
+ ME->getType(), *BaseNullability, ME->getBase()->getType());
+ } else {
+ // Since we process child nodes before parents, we should already have
+ // computed the base (child) nullability. However, this is not true in all
+ // test cases. So, we return unspecified nullability annotations.
+ // TODO: Fix this issue, add ._has_value() as a CHECK statement and remove
+ // else branch.
+ return std::vector<NullabilityKind>(countPointersInType(ME->getType()),
+ NullabilityKind::Unspecified);
+ }
+ });
+ if (ME->getType()->isPointerType()) {
+ transferPointer(ME, MR, State);
+ }
+}
+
+auto buildNonFlowSensitiveTransferer() {
+ return CFGMatchSwitchBuilder<TransferState<PointerNullabilityLattice>>()
+ .CaseOfCFGStmt<DeclRefExpr>(ast_matchers::declRefExpr(),
+ transferDeclRefExpr)
+ .CaseOfCFGStmt<MemberExpr>(ast_matchers::memberExpr(), transferMemberExpr)
+ .Build();
+}
+
+auto buildFlowSensitiveTransferer() {
return CFGMatchSwitchBuilder<TransferState<PointerNullabilityLattice>>()
// Handles initialization of the null states of pointers.
.CaseOfCFGStmt<Expr>(isCXXThisExpr(), transferNotNullPointer)
@@ -446,13 +523,15 @@
PointerNullabilityAnalysis::PointerNullabilityAnalysis(ASTContext& Context)
: DataflowAnalysis<PointerNullabilityAnalysis, PointerNullabilityLattice>(
Context),
- Transferer(buildTransferer()) {}
+ NonFlowSensitiveTransferer(buildNonFlowSensitiveTransferer()),
+ FlowSensitiveTransferer(buildFlowSensitiveTransferer()) {}
void PointerNullabilityAnalysis::transfer(const CFGElement* Elt,
PointerNullabilityLattice& Lattice,
Environment& Env) {
TransferState<PointerNullabilityLattice> State(Lattice, Env);
- Transferer(*Elt, getASTContext(), State);
+ NonFlowSensitiveTransferer(*Elt, getASTContext(), State);
+ FlowSensitiveTransferer(*Elt, getASTContext(), State);
}
BoolValue& mergeBoolValues(BoolValue& Bool1, const Environment& Env1,
diff --git a/nullability_verification/pointer_nullability_analysis.h b/nullability_verification/pointer_nullability_analysis.h
index 4515091..c740b2b 100644
--- a/nullability_verification/pointer_nullability_analysis.h
+++ b/nullability_verification/pointer_nullability_analysis.h
@@ -22,10 +22,16 @@
class PointerNullabilityAnalysis
: public dataflow::DataflowAnalysis<PointerNullabilityAnalysis,
PointerNullabilityLattice> {
+ private:
+ absl::flat_hash_map<const Expr*, std::vector<NullabilityKind>>
+ ExprToNullability;
+
public:
explicit PointerNullabilityAnalysis(ASTContext& context);
- static PointerNullabilityLattice initialElement() { return {}; }
+ PointerNullabilityLattice initialElement() {
+ return PointerNullabilityLattice(&ExprToNullability);
+ }
void transfer(const CFGElement* Elt, PointerNullabilityLattice& Lattice,
dataflow::Environment& Env);
@@ -36,9 +42,13 @@
dataflow::Environment& MergedEnv) override;
private:
- // Applies transfer functions on statements
+ // Applies non-flow-sensitive transfer functions on statements
dataflow::CFGMatchSwitch<dataflow::TransferState<PointerNullabilityLattice>>
- Transferer;
+ NonFlowSensitiveTransferer;
+
+ // Applies flow-sensitive transfer functions on statements
+ dataflow::CFGMatchSwitch<dataflow::TransferState<PointerNullabilityLattice>>
+ FlowSensitiveTransferer;
};
} // namespace nullability
} // namespace tidy
diff --git a/nullability_verification/pointer_nullability_lattice.h b/nullability_verification/pointer_nullability_lattice.h
index 506e2c0..67e4d3a 100644
--- a/nullability_verification/pointer_nullability_lattice.h
+++ b/nullability_verification/pointer_nullability_lattice.h
@@ -7,6 +7,7 @@
#include <ostream>
+#include "absl/container/flat_hash_map.h"
#include "clang/Analysis/FlowSensitive/DataflowAnalysis.h"
#include "clang/Analysis/FlowSensitive/DataflowLattice.h"
@@ -15,7 +16,38 @@
namespace nullability {
class PointerNullabilityLattice {
+ private:
+ // Owned by the PointerNullabilityAnalysis object, shared by all lattice
+ // elements within one analysis run.
+ absl::flat_hash_map<const Expr *, std::vector<NullabilityKind>>
+ *ExprToNullability;
+
public:
+ PointerNullabilityLattice(
+ absl::flat_hash_map<const Expr *, std::vector<NullabilityKind>>
+ *ExprToNullability)
+ : ExprToNullability(ExprToNullability) {}
+
+ Optional<ArrayRef<NullabilityKind>> getExprNullability(const Expr *E) {
+ auto I = ExprToNullability->find(E);
+ return I == ExprToNullability->end()
+ ? std::nullopt
+ : Optional<ArrayRef<NullabilityKind>>(I->second);
+ }
+
+ // If the `ExprToNullability` map already contains an entry for `E`, does
+ // nothing. Otherwise, inserts a new entry with key `E` and value computed by
+ // the provided GetNullability.
+ void insertExprNullabilityIfAbsent(
+ const Expr *E,
+ const std::function<std::vector<NullabilityKind>()> &GetNullability) {
+ auto [Iterator, Inserted] =
+ ExprToNullability->insert({E, std::vector<NullabilityKind>()});
+ if (Inserted) {
+ Iterator->second = GetNullability();
+ }
+ }
+
bool operator==(const PointerNullabilityLattice &Other) const { return true; }
dataflow::LatticeJoinEffect join(const PointerNullabilityLattice &Other) {
diff --git a/nullability_verification/pointer_nullability_verification_test.cc b/nullability_verification/pointer_nullability_verification_test.cc
index 4ed0585..ee2c0d1 100644
--- a/nullability_verification/pointer_nullability_verification_test.cc
+++ b/nullability_verification/pointer_nullability_verification_test.cc
@@ -1496,18 +1496,159 @@
)cc");
}
-TEST(PointerNullabilityTest, MemberExpressionOfClassTemplateInstantiation) {
- // Class template specialization with 2 arguments with nullable second
- // argument.
+// TODO: Fix false negatives.
+TEST(PointerNullabilityTest, ClassTemplateInstantiation) {
+ // Class template specialization with one argument initialised as _Nullable.
+ // We test types that contain both nullability that is substituted into the
+ // template argument and nullability that is spelt inside the template. That
+ // is, we should be able to accurately store nullabilities from different
+ // sources in a single nullability vector.
+ checkDiagnostics(R"cc(
+ template <typename T0>
+ struct Struct1Arg {
+ T0 arg0;
+ T0 *unknownTPtr;
+ T0 *_Nullable nullableTPtr;
+ T0 *_Nonnull nonnullTPtr;
+
+ T0 getT();
+ T0 *getUnknownTPtr();
+ T0 *_Nullable getNullableTPtr();
+ T0 *_Nonnull getNonnullTPtr();
+ };
+ void target(Struct1Arg<int *_Nullable> p) {
+ *p.arg0; // [[unsafe]]
+ *p.unknownTPtr;
+ *p.nullableTPtr; // [[unsafe]]
+ *p.nonnullTPtr;
+ **p.unknownTPtr; // TODO: fix false negative.
+ **p.nullableTPtr; // [[unsafe]]
+ **p.nonnullTPtr; // TODO: fix false negative.
+
+ *p.getT(); // [[unsafe]]
+ *p.getUnknownTPtr();
+ *p.getNullableTPtr(); // [[unsafe]]
+ *p.getNonnullTPtr();
+ **p.getUnknownTPtr(); // TODO: fix false negative.
+ **p.getNullableTPtr(); // [[unsafe]]
+ **p.getNonnullTPtr(); // TODO: fix false negative.
+ }
+ )cc");
+
+ // Class template specialization with one argument initialised as _Nonnull.
+ checkDiagnostics(R"cc(
+ template <typename T0>
+ struct Struct1Arg {
+ T0 arg0;
+ T0 *unknownTPtr;
+ T0 *_Nullable nullableTPtr;
+ T0 *_Nonnull nonnullTPtr;
+
+ T0 getT();
+ T0 *getUnknownTPtr();
+ T0 *_Nullable getNullableTPtr();
+ T0 *_Nonnull getNonnullTPtr();
+ };
+
+ void target(Struct1Arg<int *_Nonnull> p) {
+ *p.getT();
+ *p.getUnknownTPtr();
+ *p.getNullableTPtr(); // [[unsafe]]
+ *p.getNonnullTPtr();
+ **p.getUnknownTPtr();
+ **p.getNullableTPtr(); // [[unsafe]]
+ **p.getNonnullTPtr();
+
+ *p.arg0;
+ *p.unknownTPtr;
+ *p.nullableTPtr; // [[unsafe]]
+ *p.nonnullTPtr;
+ **p.unknownTPtr;
+ **p.nullableTPtr; // [[unsafe]]
+ **p.nonnullTPtr;
+ }
+ )cc");
+
+ // Class template specialization with one argument initialised without
+ // nullability annotation.
+ checkDiagnostics(R"cc(
+ template <typename T0>
+ struct Struct1Arg {
+ T0 arg0;
+ T0 *unknownTPtr;
+ T0 *_Nullable nullableTPtr;
+ T0 *_Nonnull nonnullTPtr;
+ T0 getT();
+
+ T0 *getUnknownTPtr();
+ T0 *_Nullable getNullableTPtr();
+ T0 *_Nonnull getNonnullTPtr();
+ };
+
+ void target(Struct1Arg<int *> p) {
+ *p.getT();
+ *p.getUnknownTPtr();
+ *p.getNullableTPtr(); // [[unsafe]]
+ *p.getNonnullTPtr();
+ **p.getUnknownTPtr();
+ **p.getNullableTPtr(); // [[unasfe]]
+ **p.getNonnullTPtr();
+
+ *p.arg0;
+ *p.unknownTPtr;
+ *p.nullableTPtr; // [[unsafe]]
+ *p.nonnullTPtr;
+ **p.unknownTPtr;
+ **p.nullableTPtr; // [[unsafe]]
+ **p.nonnullTPtr;
+ }
+ )cc");
+
+ // Class template specialization with two arguments, whose second argument is
+ // initialized as nullable.
checkDiagnostics(R"cc(
template <typename T0, typename T1>
struct Struct2Arg {
T0 arg0;
+ T0 *unknownT0Ptr;
+ T0 *_Nullable nullableT0Ptr;
+ T0 *_Nonnull nonnullT0Ptr;
+
T1 arg1;
+ T1 *unknownT1Ptr;
+ T1 *_Nullable nullableT1Ptr;
+ T1 *_Nonnull nonnullT1Ptr;
+
+ T0 getT0();
+ T0 *getUnknownT0Ptr();
+ T0 *_Nullable getNullableT0Ptr();
+ T0 *_Nonnull getNonnullT0Ptr();
+
+ T1 getT1();
+ T1 *getUnknownT1Ptr();
+ T1 *_Nullable getNullableT1Ptr();
+ T1 *_Nonnull getNonnullT1Ptr();
};
- void target(Struct2Arg<int* _Nonnull, double* _Nullable> p) {
+
+ void target(Struct2Arg<int *_Nonnull, double *_Nullable> p) {
*p.arg0;
*p.arg1; // [[unsafe]]
+
+ *p.unknownT0Ptr;
+ *p.nullableT0Ptr; // [[unsafe]]
+ *p.nonnullT0Ptr;
+
+ *p.unknownT1Ptr;
+ *p.nullableT1Ptr; // [[unsafe]]
+ *p.nonnullT1Ptr;
+
+ *p.getUnknownT0Ptr();
+ *p.getNullableT0Ptr(); // [[unsafe]]
+ *p.getNonnullT0Ptr();
+
+ *p.getUnknownT1Ptr();
+ *p.getNullableT1Ptr(); // [[unsafe]]
+ *p.getNonnullT1Ptr();
}
)cc");
@@ -1521,6 +1662,12 @@
T2 arg2;
T3 arg3;
T4 arg4;
+
+ T0 getT0();
+ T1 getT1();
+ T2 getT2();
+ T3 getT3();
+ T4 getT4();
};
void target(Struct5Arg<int* _Nullable, double* _Nonnull, float*,
double* _Nullable, int* _Nonnull>
@@ -1530,6 +1677,12 @@
*p.arg2;
*p.arg3; // [[unsafe]]
*p.arg4;
+
+ *p.getT0(); // [[unsafe]]
+ *p.getT1();
+ *p.getT2();
+ *p.getT3(); // [[unsafe]]
+ *p.getT4();
}
)cc");
@@ -1543,71 +1696,361 @@
T2 arg2;
T3 arg3;
T4 arg4;
+
+ T0 getT0();
+ T1 getT1();
+ T2 getT2();
+ T3 getT3();
+ T4 getT4();
};
- void target(Struct5Arg<int* _Nullable, double const* const _Nonnull, float*,
- double const* const _Nullable, int* _Nonnull>
+ void target(Struct5Arg<int* const _Nullable, double const* const _Nonnull,
+ float*, double const* const _Nullable, int* _Nonnull>
p) {
*p.arg0; // [[unsafe]]
*p.arg1;
*p.arg2;
*p.arg3; // [[unsafe]]
*p.arg4;
+
+ *p.getT0(); // TODO: fix false negative.
+ *p.getT1();
+ *p.getT2();
+ *p.getT3(); // TODO: fix false negative.
+ *p.getT4();
}
)cc");
- // Class template specialization with interleaved int and typename arguments.
+ // Class template specialization with interleaved int and type template
+ // parameters.
checkDiagnostics(R"cc(
- template <typename T0, int I1, typename T2, int T3, typename T4>
- struct Struct5Arg {
- T0 arg0;
- T2 arg2;
- T4 arg4;
+ template <int I0, typename T1, int I2, typename T3, int I4, typename T5>
+ struct Struct6ArgWithInt {
+ T1 arg1;
+ T3 arg3;
+ T5 arg5;
+
+ T1 getT1();
+ T3 getT3();
+ T5 getT5();
};
- void target(Struct5Arg<int* _Nullable, 0, float*, 1, int* _Nullable> p) {
- *p.arg0; // [[unsafe]]
- *p.arg2;
- *p.arg4; // [[unsafe]]
+ void target(
+ Struct6ArgWithInt<0, int *_Nullable, 1, int *_Nullable, 2, int *> &x) {
+ *x.arg1; // [[unsafe]]
+ *x.arg3; // [[unsafe]]
+ *x.arg5;
+
+ *x.getT1(); // [[unsafe]]
+ *x.getT3(); // [[unsafe]]
+ *x.getT5();
+ }
+ )cc");
+}
+
+// TODO: Fix false positives and false negatives.
+TEST(PointerNullabilityTest,
+ ClassTemplateInstantiationWithStructsAsParameters) {
+ checkDiagnostics(R"cc(
+ struct Struct3IntPtrs {
+ int* unknown;
+ int* _Nullable nullable;
+ int* _Nonnull nonnull;
+
+ int* getUnknown();
+ int* _Nullable getNullable();
+ int* _Nonnull getNonnull();
+ };
+
+ template <typename T0>
+ struct Struct1Arg {
+ T0 arg0;
+ T0 getT0();
+ };
+
+ void target(Struct1Arg<Struct3IntPtrs> p) {
+ *p.arg0.unknown;
+ *p.arg0.nullable; // [[unsafe]]
+ *p.arg0.nonnull;
+
+ *p.arg0.getUnknown();
+ *p.arg0.getNullable(); // [[unsafe]]
+ *p.arg0.getNonnull();
+
+ *p.getT0().unknown; // [[unsafe]] TODO: fix false positive.
+ *p.getT0().nullable; // [[unsafe]]
+ *p.getT0().nonnull; // [[unsafe]] TODO: fix false positive.
+
+ *p.getT0().getUnknown();
+ *p.getT0().getNullable(); // [[unsafe]]
+ *p.getT0().getNonnull();
}
)cc");
- // Class template specialization with interleaved int and typename arguments
- // where some arguments are const.
checkDiagnostics(R"cc(
- template <typename T0, int I1, typename T2, int T3, typename T4>
- struct Struct5Arg {
- T0 arg0;
- T2 arg2;
- T4 arg4;
+ struct Struct1UnknownArg {
+ char* unknownChar;
+
+ char* getUnknownChar();
};
- void target(Struct5Arg<int const* const _Nullable, 0, float const* const, 1,
- int* _Nullable>
+
+ struct Struct1NullableArg {
+ char* _Nullable nullableChar;
+
+ char* _Nullable getNullableChar();
+ };
+
+ struct Struct1NonnullArg {
+ char* _Nonnull nonnullChar;
+
+ char* _Nonnull getNonnullChar();
+ };
+
+ struct StructLotsOfArgs {
+ int num;
+ long long* unknownLongLong;
+ double* _Nullable nullableDouble;
+ float* _Nonnull nonnullFloat;
+ short* unknownShort;
+ unsigned int* _Nullable nullableUInt;
+ bool* _Nullable nullableBool;
+
+ long long* getUnknownLongLong();
+ double* _Nullable getNullableDouble();
+ float* _Nonnull getNonnullFloat();
+ short* getUnknownShort();
+ unsigned int* _Nullable getNullableUInt();
+ bool* _Nullable getNullableBool();
+ };
+
+ template <typename T0, typename T1, typename T2, typename T3>
+ struct Struct4Arg {
+ T0 arg0;
+ T1 arg1;
+ T2 arg2;
+ T3 arg3;
+
+ T0 getT0();
+ T1 getT1();
+ T2 getT2();
+ T3 getT3();
+ };
+
+ void target(Struct4Arg<Struct1UnknownArg, Struct1NullableArg,
+ Struct1NonnullArg, StructLotsOfArgs>
p) {
- *p.arg0; // [[unsafe]]
- *p.arg2;
- *p.arg4; // [[unsafe]]
+ *p.arg0.unknownChar;
+ *p.arg1.nullableChar; // [[unsafe]]
+ *p.arg2.nonnullChar;
+ *p.arg3.unknownLongLong;
+ *p.arg3.nullableDouble; // [[unsafe]]
+ *p.arg3.nonnullFloat;
+ *p.arg3.unknownShort;
+ *p.arg3.nullableUInt; // [[unsafe]]
+ *p.arg3.nullableBool; // [[unsafe]]
+
+ *p.arg0.getUnknownChar();
+ *p.arg1.getNullableChar(); // [[unsafe]]
+ *p.arg2.getNonnullChar();
+ *p.arg3.getUnknownLongLong();
+ *p.arg3.getNullableDouble(); // [[unsafe]]
+ *p.arg3.getNonnullFloat();
+ *p.arg3.getUnknownShort();
+ *p.arg3.getNullableUInt(); // [[unsafe]]
+ *p.arg3.getNullableBool(); // [[unsafe]]
+
+ *p.getT0().unknownChar; // [[unsafe]] TODO: fix false positive.
+ *p.getT1().nullableChar; // [[unsafe]]
+ *p.getT2().nonnullChar; // [[unsafe]] TODO: fix false positive.
+ *p.getT3().unknownLongLong; // [[unsafe]] TODO: fix false positive.
+ *p.getT3().nullableDouble; // [[unsafe]]
+ *p.getT3().nonnullFloat; // [[unsafe]] TODO: fix false positive.
+ *p.getT3().unknownShort; // [[unsafe]] TODO: fix false positive.
+ *p.getT3().nullableUInt; // [[unsafe]]
+ *p.getT3().nullableBool; // [[unsafe]]
+
+ *p.getT0().getUnknownChar();
+ *p.getT1().getNullableChar(); // [[unsafe]]
+ *p.getT2().getNonnullChar();
+ *p.getT3().getUnknownLongLong();
+ *p.getT3().getNullableDouble(); // [[unsafe]]
+ *p.getT3().getNonnullFloat();
+ *p.getT3().getUnknownShort();
+ *p.getT3().getNullableUInt(); // [[unsafe]]
+ *p.getT3().getNullableBool(); // [[unsafe]]
}
)cc");
- // Class template specialization with interleaved int and typename arguments
- // where all type arguments are const
+ // With const arguments and int template parameter.
checkDiagnostics(R"cc(
- template <typename T0, int I1, typename T2, int T3, typename T4>
- struct Struct5Arg {
- T0 arg0;
- T2 arg2;
- T4 arg4;
+ struct Struct1UnknownArg {
+ char* const constUnknownChar;
+ char const* unknownConstChar;
+ char const* const constUnknownConstChar;
+
+ char* const getConstUnknownChar();
+ char const* getUnknownConstChar();
+ char const* const getConstUnknownConstChar();
};
- void target(Struct5Arg<int const* const _Nullable, 0, float const* const, 1,
- int const* const _Nullable>
- p) {
- *p.arg0; // [[unsafe]]
- *p.arg2;
- *p.arg4; // [[unsafe]]
+
+ struct Struct1NullableArg {
+ char* const _Nullable constNullableChar;
+ char const* _Nullable nullableConstChar;
+ char const* const _Nullable constNullableConstChar;
+
+ char* const _Nullable getConstNullableChar();
+ char const* _Nullable getNullableConstChar();
+ char* const* _Nullable getConstNullableConstChar();
+ };
+
+ struct Struct1NonnullArg {
+ char* const _Nonnull constNonnullChar;
+ char const* _Nonnull nonnullConstChar;
+ char const* const _Nonnull constNonnullConstChar;
+
+ char* const _Nonnull getConstNonnullChar();
+ char const* _Nonnull getNonnullConstChar();
+ char const* const _Nonnull getConstNonnullConstChar();
+ };
+
+ template <int I0, typename T1, typename T2, typename T3>
+ struct Struct4Arg {
+ T1 arg1;
+ T2 arg2;
+ T3 arg3;
+
+ T1 getT1();
+ T2 getT2();
+ T3 getT3();
+ };
+
+ void target(
+ Struct4Arg<4, Struct1UnknownArg, Struct1NullableArg, Struct1NonnullArg>
+ p) {
+ *p.arg1.constUnknownChar;
+ *p.arg1.unknownConstChar;
+ *p.arg1.constUnknownConstChar;
+ *p.arg2.constNullableChar; // [[unsafe]]
+ *p.arg2.nullableConstChar; // [[unsafe]]
+ *p.arg2.constNullableConstChar; // [[unsafe]]
+ *p.arg3.constNonnullChar;
+ *p.arg3.nonnullConstChar;
+ *p.arg3.constNonnullConstChar;
+
+ *p.arg1.getConstUnknownChar();
+ *p.arg1.getUnknownConstChar();
+ *p.arg1.getConstUnknownConstChar();
+ *p.arg2.getConstNullableChar(); // TODO: fix false negative.
+ *p.arg2.getNullableConstChar(); // [[unsafe]]
+ *p.arg2.getConstNullableConstChar(); // [[unsafe]]
+ *p.arg3.getConstNonnullChar();
+ *p.arg3.getNonnullConstChar();
+ *p.arg3.getConstNonnullConstChar();
+
+ *p.getT1().constUnknownChar; // [[unsafe]] TODO: fix false positive.
+ *p.getT1().unknownConstChar; // [[unsafe]] TODO: fix false positive.
+ *p.getT1().constUnknownConstChar; // [[unsafe]] TODO: fix false positive.
+ *p.getT2().constNullableChar; // [[unsafe]]
+ *p.getT2().nullableConstChar; // [[unsafe]]
+ *p.getT2().constNullableConstChar; // [[unsafe]]
+ *p.getT3().constNonnullChar; // [[unsafe]] TODO: fix false positive.
+ *p.getT3().nonnullConstChar; // [[unsafe]] TODO: fix false positive.
+ *p.getT3().constNonnullConstChar; // [[unsafe]] TODO: fix false positive.
+
+ *p.getT1().getConstUnknownChar();
+ *p.getT1().getUnknownConstChar();
+ *p.getT1().getConstUnknownConstChar();
+ *p.getT2().getConstNullableChar(); // TODO: fix false negative.
+ *p.getT2().getNullableConstChar(); // [[unsafe]]
+ *p.getT2().getConstNullableConstChar(); // [[unsafe]]
+ *p.getT3().getConstNonnullChar();
+ *p.getT3().getNonnullConstChar();
+ *p.getT3().getConstNonnullConstChar();
+ }
+ )cc");
+}
+
+// TODO: Fix false negatives.
+TEST(PointerNullabilityTest, MemberFunctionTemplateOfConcreteStruct) {
+ checkDiagnostics(R"cc(
+ struct S {
+ template <typename T0>
+ T0 getT0();
+ };
+
+ void target(S p) {
+ *p.getT0<int *>();
+ *p.getT0<int *_Nonnull>();
+ *p.getT0<int *_Nullable>(); // TODO: fix false negative.
+
+ *p.getT0<int const *>();
+ *p.getT0<int *const>();
+ *p.getT0<int const *const>();
+ *p.getT0<int const *_Nonnull>();
+ *p.getT0<int *const _Nonnull>();
+ *p.getT0<int const *const _Nonnull>();
+ *p.getT0<int const *_Nullable>(); // TODO: fix false negative.
+ *p.getT0<int *const _Nullable>(); // TODO: fix false negative.
+ *p.getT0<int const *const _Nullable>(); // TODO: fix false negative.
}
)cc");
- // Class template specialization that uses another class template
- // specialization as a member variable.
+ checkDiagnostics(R"cc(
+ struct S {
+ template <int I0, typename T1, int I2>
+ T1 getT1();
+ };
+
+ void target(S p) {
+ *p.getT1<0, int *, 1>();
+ *p.getT1<2147483647, int *_Nonnull, -2147483647>();
+ *p.getT1<4, int *_Nullable, 4>(); // TODO: fix false negative.
+ }
+ )cc");
+}
+
+TEST(PointerNullabilityTest, MemberFunctionTemplateOfTemplateStruct) {
+ checkDiagnostics(R"cc(
+ template <typename T0>
+ struct S {
+ template <typename TN1>
+ TN1 getTN1();
+ };
+
+ void target(S<int> p) {
+ *p.getTN1<int *>();
+ *p.getTN1<int *_Nonnull>();
+ *p.getTN1<int *_Nullable>(); // TODO: fix false negative.
+
+ *p.getTN1<int const *>();
+ *p.getTN1<int *const>();
+ *p.getTN1<int const *const>();
+ *p.getTN1<int const *_Nonnull>();
+ *p.getTN1<int *const _Nonnull>();
+ *p.getTN1<int const *const _Nonnull>();
+ *p.getTN1<int const *_Nullable>(); // TODO: fix false negative.
+ *p.getTN1<int *const _Nullable>(); // TODO: fix false negative.
+ *p.getTN1<int const *const _Nullable>(); // TODO: fix false negative.
+ }
+ )cc");
+
+ checkDiagnostics(R"cc(
+ template <typename T0>
+ struct S {
+ template <int IN1, typename TN2, int IN3>
+ TN2 getTN2();
+ };
+
+ void target(S<int> p) {
+ // *p.getTN2<0, int *, 1>(); // TODO: fix crash
+ // *p.getTN2<2147483647, int * _Nonnull, -2147483647>(); // TODO: fix
+ // crash *p.getTN2<4, int * _Nullable, 4>(); // TODO: fix crash
+ }
+ )cc");
+}
+
+// TODO: Fix false positives.
+TEST(PointerNullabilityTest,
+ ClassTemplateInstantiationWithTemplateStructsAsParameters) {
+ // Class template with another class template as parameter
checkDiagnostics(R"cc(
template <typename T0, typename T1>
struct Struct2Arg {
@@ -1625,148 +2068,446 @@
*p.arg0;
*p.arg1; // [[unsafe]]
- // TODO: The following lines currently crash at getBaseType()
- // *p.arg0->arg0; // false-positive
- // *p.arg0->arg1.arg0;
- // *p.arg0->arg1.arg1; // false-positive
+ *p.arg0->arg0;
+ *p.arg0->arg1.arg0;
+ *p.arg0->arg1.arg1;
+ }
+ )cc");
+
+ // Class template with itself as parameter
+ checkDiagnostics(R"cc(
+ template <typename T0, typename T1>
+ struct Struct2Arg {
+ T0 arg0;
+ T1 arg1;
+ };
+
+ void target(Struct2Arg<Struct2Arg<int*, int* _Nullable>, int* _Nonnull> p) {
+ *p.arg0.arg0;
+ *p.arg0.arg1; // [[unsafe]]
+ *p.arg1;
+ }
+ )cc");
+
+ checkDiagnostics(R"cc(
+ template <typename T0, typename T1, typename T2, typename T3, typename T4>
+ struct Struct5Arg {
+ T0 arg0;
+ T1 arg1;
+ T2 arg2;
+ T3 arg3;
+ T4 arg4;
+ };
+
+ void
+ target(Struct5Arg<
+ Struct5Arg<
+ Struct5Arg<Struct5Arg<int* _Nullable, int* _Nonnull,
+ float* _Nullable, int*, double* _Nullable>,
+ int, int, int, int* _Nullable>,
+ int, int* _Nullable, int, int>,
+ int, int* _Nullable, int* _Nonnull, int>
+ p) {
+ *p.arg0.arg0.arg0.arg0; // [[unsafe]]
+ *p.arg0.arg0.arg0.arg1; // [[unsafe]] TODO: fix false positive.
+ *p.arg0.arg0.arg0.arg2; // [[unsafe]]
+ *p.arg0.arg0.arg0.arg3; // [[unsafe]] TODO: fix false positive.
+ *p.arg0.arg0.arg0.arg4; // [[unsafe]]
+ *p.arg0.arg0.arg4; // [[unsafe]]
+ *p.arg0.arg2; // [[unsafe]]
+ *p.arg2; // [[unsafe]]
+ *p.arg3;
+ }
+ )cc");
+
+ checkDiagnostics(R"cc(
+ template <int I0, typename T1, typename T2, typename T3, int I4,
+ typename T5, typename T6>
+ struct Struct7ArgWithInt {
+ T1 arg1;
+ T2 arg2;
+ T3 arg3;
+ T5 arg5;
+ T6 arg6;
+ };
+
+ void target(Struct7ArgWithInt<
+ 0,
+ Struct7ArgWithInt<
+ 2147483647,
+ Struct7ArgWithInt<
+ 0,
+ Struct7ArgWithInt<-2147483647, int* _Nullable,
+ int* _Nonnull, float* _Nullable, 0,
+ int*, double* _Nullable>,
+ int, int, 1, int, int* _Nullable>,
+ int, int* _Nullable, 2147483647, int, int>,
+ int, int* _Nullable, 2, int* _Nonnull, int>
+ p) {
+ *p.arg1.arg1.arg1.arg1; // [[unsafe]]
+ *p.arg1.arg1.arg1.arg2; // [[unsafe]] TODO: fix false positive.
+ *p.arg1.arg1.arg1.arg3; // [[unsafe]]
+ *p.arg1.arg1.arg1.arg5; // [[unsafe]] TODO: fix false positive.
+ *p.arg1.arg1.arg1.arg6; // [[unsafe]]
+ *p.arg1.arg1.arg6; // [[unsafe]]
+ *p.arg1.arg3; // [[unsafe]]
+ *p.arg3; // [[unsafe]]
+ *p.arg5;
}
)cc");
}
-TEST(PointerNullabilityTest, MemberCallExpressionOfClassTemplateInstantiation) {
- // Class template specialization with one argument initialised as _Nullable.
+TEST(PointerNullabilityTest,
+ ClassTemplateInstantiationWithPointersToStructsAsParameters) {
checkDiagnostics(R"cc(
+ struct Struct3IntPtrs {
+ int* unknown;
+ int* _Nullable nullable;
+ int* _Nonnull nonnull;
+
+ int* getUnknown();
+ int* _Nullable getNullable();
+ int* _Nonnull getNonnull();
+ };
+
template <typename T0>
struct Struct1Arg {
- T0 getT();
- T0 *getUnknownTPtr();
- T0 *_Nullable getNullableTPtr();
- T0 *_Nonnull getNonnullTPtr();
- };
- void target(Struct1Arg<int *_Nullable> &xs) {
- *xs.getT(); // [[unsafe]]
- *xs.getUnknownTPtr();
- **xs.getUnknownTPtr(); // false-negative
- *xs.getNullableTPtr(); // [[unsafe]]
- **xs.getNullableTPtr(); // [[unsafe]]
- *xs.getNonnullTPtr();
- **xs.getNonnullTPtr(); // false-negative
- }
- )cc");
+ T0 arg0;
- // Class template specialization with one argument initialised as _Nonnull.
- checkDiagnostics(R"cc(
- template <typename T0>
- struct Struct1Arg {
- T0 getT();
- T0 *getUnknownTPtr();
- T0 *_Nullable getNullableTPtr();
- T0 *_Nonnull getNonnullTPtr();
- };
- void target(Struct1Arg<int *_Nonnull> &xs) {
- *xs.getT();
- *xs.getUnknownTPtr();
- **xs.getUnknownTPtr();
- *xs.getNullableTPtr(); // [[unsafe]]
- **xs.getNullableTPtr(); // [[unsafe]]
- *xs.getNonnullTPtr();
- **xs.getNonnullTPtr();
- }
- )cc");
-
- // Class template specialization with one argument initialised without
- // annotation.
- checkDiagnostics(R"cc(
- template <typename T0>
- struct Struct1Arg {
- T0 getT();
- T0 *getUnknownTPtr();
- T0 *_Nullable getNullableTPtr();
- T0 *_Nonnull getNonnullTPtr();
- };
- void target(Struct1Arg<int *> &xs) {
- *xs.getT();
- *xs.getUnknownTPtr();
- **xs.getUnknownTPtr();
- *xs.getNullableTPtr(); // [[unsafe]]
- **xs.getNullableTPtr(); // [[unsafe]]
- *xs.getNonnullTPtr();
- **xs.getNonnullTPtr();
- }
- )cc");
-
- // Class template specialization with multiple arguments.
- checkDiagnostics(R"cc(
- template <typename T0, typename T1, typename T2>
- struct Struct3Arg {
- T0 getT0();
- T1 getT1();
- T2 getT2();
- };
- void target(Struct3Arg<int *, int *_Nonnull, int *_Nullable> &x) {
- *x.getT0();
- *x.getT1();
- *x.getT2(); // [[unsafe]]
- }
- )cc");
-
- // Class template specialization with multiple arguments and methods whose
- // return types are pointers to those arguments.
- checkDiagnostics(R"cc(
- template <typename T0, typename T1, typename T2>
- struct Struct3Arg {
- T0 *getUnknownT0Ptr();
- T1 *_Nullable getNullableT1Ptr();
- T2 *_Nonnull getNonnullT2Ptr();
- };
- void target(Struct3Arg<int *, int *_Nonnull, int *_Nullable> &x) {
- *x.getUnknownT0Ptr();
- **x.getUnknownT0Ptr();
- *x.getNullableT1Ptr(); // [[unsafe]]
- **x.getNullableT1Ptr(); // [[unsafe]]
- *x.getNonnullT2Ptr();
- **x.getNonnullT2Ptr(); // false-negative
- }
- )cc");
-
- // Class template specialization with int template parameters and with type as
- // first argument.
- checkDiagnostics(R"cc(
- template <typename T0, int I1, int I2>
- struct Struct3ArgWithInt {
T0 getT0();
};
- void target(Struct3ArgWithInt<int *_Nullable, 0, 1> &x) {
- *x.getT0(); // [[unsafe]]
+
+ void target(Struct1Arg<Struct3IntPtrs*> p) {
+ *p.arg0->unknown;
+ *p.arg0->nullable; // [[unsafe]]
+ *p.arg0->nonnull;
+
+ *p.arg0->getUnknown();
+ *p.arg0->getNullable(); // [[unsafe]]
+ *p.arg0->getNonnull();
+
+ *p.getT0()->unknown;
+ *p.getT0()->nullable; // [[unsafe]]
+ *p.getT0()->nonnull;
+
+ *p.getT0()->getUnknown();
+ *p.getT0()->getNullable(); // [[unsafe]]
+ *p.getT0()->getNonnull();
}
)cc");
- // Class template specialization with int template parameters and with type as
- // second argument.
checkDiagnostics(R"cc(
- template <int I0, typename T1, int I2>
- struct Struct3ArgWithInt {
- T1 getT1();
+ struct Struct3IntPtrs {
+ int* unknown;
+ int* _Nullable nullable;
+ int* _Nonnull nonnull;
+
+ int* getUnknown();
+ int* _Nullable getNullable();
+ int* _Nonnull getNonnull();
};
- void target(Struct3ArgWithInt<0, int *_Nullable, 1> &x) {
- *x.getT1(); // [[unsafe]]
+
+ template <typename T0>
+ struct Struct1Arg {
+ T0 arg0;
+
+ T0 getT0();
+ };
+
+ void target(Struct1Arg<Struct3IntPtrs* _Nullable> p) {
+ *p.arg0->unknown; // [[unsafe]]
+ *p.arg0->nullable; // [[unsafe]]
+ *p.arg0->nonnull; // [[unsafe]]
+
+ *p.arg0->getUnknown(); // [[unsafe]]
+ *p.arg0->getNullable(); // [[unsafe]]
+ *p.arg0->getNonnull(); // [[unsafe]]
+
+ *p.getT0()->unknown; // [[unsafe]]
+ *p.getT0()->nullable; // [[unsafe]]
+ *p.getT0()->nonnull; // [[unsafe]]
+
+ *p.getT0()->getUnknown(); // [[unsafe]]
+ *p.getT0()->getNullable(); // [[unsafe]]
+ *p.getT0()->getNonnull(); // [[unsafe]]
}
)cc");
- // Class template specialization with interleaved int and type template
- // parameters.
checkDiagnostics(R"cc(
- template <int I0, typename T1, int I2, typename T3, int I4, typename T5>
- struct Struct6ArgWithInt {
- T1 getT1();
- T3 getT3();
- T5 getT5();
+ struct Struct3IntPtrs {
+ int* unknown;
+ int* _Nullable nullable;
+ int* _Nonnull nonnull;
+
+ int* getUnknown();
+ int* _Nullable getNullable();
+ int* _Nonnull getNonnull();
};
- void target(
- Struct6ArgWithInt<0, int *_Nullable, 1, int *_Nullable, 2, int *> &x) {
- *x.getT1(); // [[unsafe]]
- *x.getT3(); // [[unsafe]]
- *x.getT5();
+
+ template <typename T0>
+ struct Struct1Arg {
+ T0 arg0;
+
+ T0 getT0();
+ };
+
+ void target(Struct1Arg<Struct3IntPtrs* _Nonnull> p) {
+ *p.arg0->unknown;
+ *p.arg0->nullable; // [[unsafe]]
+ *p.arg0->nonnull;
+
+ *p.arg0->getUnknown();
+ *p.arg0->getNullable(); // [[unsafe]]
+ *p.arg0->getNonnull();
+
+ *p.getT0()->unknown;
+ *p.getT0()->nullable; // [[unsafe]]
+ *p.getT0()->nonnull;
+
+ *p.getT0()->getUnknown();
+ *p.getT0()->getNullable(); // [[unsafe]]
+ *p.getT0()->getNonnull();
+ }
+ )cc");
+
+ checkDiagnostics(R"cc(
+ struct Struct3IntPtrs {
+ int* unknown;
+ int* _Nullable nullable;
+ int* _Nonnull nonnull;
+
+ int* getUnknown();
+ int* _Nullable getNullable();
+ int* _Nonnull getNonnull();
+ };
+
+ template <int I0, typename T1>
+ struct Struct2Arg {
+ T1 arg1;
+
+ T1 getT1();
+ };
+
+ void target(Struct2Arg<0, Struct3IntPtrs*> p) {
+ *p.arg1->unknown;
+ *p.arg1->nullable; // [[unsafe]]
+ *p.arg1->nonnull;
+
+ *p.arg1->getUnknown();
+ *p.arg1->getNullable(); // [[unsafe]]
+ *p.arg1->getNonnull();
+
+ *p.getT1()->unknown;
+ *p.getT1()->nullable; // [[unsafe]]
+ *p.getT1()->nonnull;
+ *p.getT1()->getUnknown();
+ *p.getT1()->getNullable(); // [[unsafe]]
+ *p.getT1()->getNonnull();
+ }
+ )cc");
+}
+
+TEST(PointerNullabilityTest,
+ ClassTemplateInstantiationWithPointersToTemplateStructsAsParameters) {
+ checkDiagnostics(R"cc(
+ template <typename T0, typename T1>
+ struct Struct2Arg {
+ T0 arg0;
+ T1 arg1;
+
+ T0 getT0();
+ T1 getT1();
+ };
+
+ void target(Struct2Arg<Struct2Arg<int *, int *_Nullable> *_Nullable,
+ Struct2Arg<int, int *> *_Nonnull>
+ p) {
+ *p.arg0; // [[unsafe]]
+ *p.arg0->arg0; // [[unsafe]]
+ *p.arg0->arg1; // [[unsafe]]
+ *p.arg1;
+ *p.arg1->arg1;
+
+ *p.arg0->getT0(); // [[unsafe]]
+ *p.arg0->getT1(); // [[unsafe]]
+ *p.arg1->getT1();
+
+ *p.getT0(); // [[unsafe]]
+ *p.getT0()->arg0; // [[unsafe]]
+ *p.getT0()->arg1; // [[unsafe]]
+ *p.getT1();
+ *p.getT1()->arg1;
+
+ *p.getT0()->getT0(); // [[unsafe]]
+ *p.getT0()->getT1(); // [[unsafe]]
+ *p.getT1()->getT1();
+ }
+ )cc");
+
+ checkDiagnostics(R"cc(
+ template <typename T0, typename T1>
+ struct StructNonnullUnknown {
+ T0 nonnull;
+ T1 unknown;
+
+ T0 getNonnull();
+ T1 getUnknown();
+ };
+
+ template <typename T0, typename T1>
+ struct StructNonnullNullable {
+ T0 nonnull;
+ T1 nullable;
+
+ T0 getNonnull();
+ T1 getNullable();
+ };
+
+ template <typename T0, typename T1>
+ struct StructNullableNonnull {
+ T0 nullable;
+ T1 nonnull;
+
+ T0 getNullable();
+ T1 getNonnull();
+ };
+
+ template <typename T0, typename T1>
+ struct StructNullableNullable {
+ T0 nullable0;
+ T1 nullable1;
+
+ T0 getNullable0();
+ T1 getNullable1();
+ };
+
+ template <typename T0, typename T1>
+ struct StructNullableUnknown {
+ T0 nullable;
+ T1 unknown;
+
+ T0 getNullable();
+ T1 getUnknown();
+ };
+
+ template <typename T0, typename T1>
+ struct StructUnknownNullable {
+ T0 unknown;
+ T1 nullable;
+
+ T0 getUnknown();
+ T1 getNullable();
+ };
+
+ void
+ target(StructNonnullUnknown<
+ StructNonnullNullable<
+ StructNullableNullable<int* _Nullable, int* _Nullable>* _Nonnull,
+ StructUnknownNullable<int*,
+ int* _Nullable>* _Nullable>* _Nonnull,
+ StructUnknownNullable<
+ StructUnknownNullable<int*, int* _Nullable>*,
+ StructNullableNonnull<int* _Nullable,
+ int* _Nonnull>* _Nullable>*>
+ p) {
+ *p.nonnull;
+ *p.nonnull->nonnull;
+ *p.nonnull->nonnull->nullable0; // TODO: fix false negative.
+ *p.nonnull->nonnull->nullable1; // TODO: fix false negative.
+ *p.nonnull->nullable; // TODO: fix false negative.
+ *p.nonnull->nullable->unknown; // TODO: fix false negative.
+ *p.nonnull->nullable->nullable; // TODO: fix false negative.
+ *p.unknown->unknown;
+ *p.unknown->unknown->unknown;
+ *p.unknown->unknown->nullable; // TODO: fix false negative.
+ *p.unknown;
+ *p.unknown->nullable; // TODO: fix false negative.
+ *p.unknown->nullable->nullable; // TODO: fix false negative.
+ *p.unknown->nullable->nonnull; // TODO: fix false negative.
+
+ *p.nonnull->getNonnull();
+ *p.nonnull->getNonnull()->nullable0; // TODO: fix false negative.
+ *p.nonnull->getNonnull()->nullable1; // TODO: fix false negative.
+ *p.nonnull->getNullable();
+ *p.nonnull->getNullable()->unknown; // TODO: fix false negative.
+ *p.nonnull->getNullable()->nullable; // TODO: fix false negative.
+ *p.unknown->getUnknown();
+ *p.unknown->getUnknown()->unknown;
+ *p.unknown->getUnknown()->nullable; // TODO: fix false negative.
+ *p.unknown->getNullable(); // TODO: fix false negative.
+ *p.unknown->getNullable()->nullable; // TODO: fix false negative.
+ *p.unknown->getNullable()->nonnull; // TODO: fix false negative.
+
+ *p.nonnull->getNonnull()->getNullable0(); // TODO: fix false negative.
+ *p.nonnull->getNonnull()->getNullable1(); // TODO: fix false negative.
+ *p.nonnull->getNullable()->getUnknown(); // TODO: fix false negative.
+ *p.nonnull->getNullable()->getNullable(); // TODO: fix false negative.
+ *p.unknown->getUnknown()->getUnknown();
+ *p.unknown->getUnknown()->getNullable(); // TODO: fix false negative.
+ *p.unknown->getNullable()->getNullable(); // TODO: fix false negative.
+ *p.unknown->getNullable()->getNonnull(); // TODO: fix false negative.
+
+ *p.nonnull->nonnull->getNullable0(); // TODO: fix false negative.
+ *p.nonnull->nonnull->getNullable1(); // TODO: fix false negative.
+ *p.nonnull->nullable->getUnknown(); // TODO: fix false negative.
+ *p.nonnull->nullable->getNullable(); // TODO: fix false negative.
+ *p.unknown->unknown->getUnknown();
+ *p.unknown->unknown->getNullable(); // TODO: fix false negative.
+ *p.unknown->nullable->getNullable(); // TODO: fix false negative.
+ *p.unknown->nullable->getNonnull(); // TODO: fix false negative.
+
+ *p.getNonnull();
+ *p.getNonnull()->nonnull;
+ *p.getNonnull()->nonnull->nullable0; // TODO: fix false negative.
+ *p.getNonnull()->nonnull->nullable1; // TODO: fix false negative.
+ *p.getNonnull()->nullable; // TODO: fix false negative.
+ *p.getNonnull()->nullable->unknown; // TODO: fix false negative.
+ *p.getNonnull()->nullable->nullable; // TODO: fix false negative.
+ *p.getUnknown()->unknown;
+ *p.getUnknown()->unknown->unknown;
+ *p.getUnknown()->unknown->nullable; // TODO: fix false negative.
+ *p.getUnknown();
+ *p.getUnknown()->nullable; // TODO: fix false negative.
+ *p.getUnknown()->nullable->nullable; // TODO: fix false negative.
+ *p.getUnknown()->nullable->nonnull; // TODO: fix false negative.
+
+ *p.getNonnull()->getNonnull();
+ *p.getNonnull()->getNonnull()->nullable0; // TODO: fix false negative.
+ *p.getNonnull()->getNonnull()->nullable1; // TODO: fix false negative.
+ *p.getNonnull()->getNullable(); // TODO: fix false negative.
+ *p.getNonnull()->getNullable()->unknown; // TODO: fix false negative.
+ *p.getNonnull()->getNullable()->nullable; // TODO: fix false negative.
+ *p.getUnknown()->getUnknown();
+ *p.getUnknown()->getUnknown()->unknown;
+ *p.getUnknown()->getUnknown()->nullable; // TODO: fix false negative.
+ *p.getUnknown()->getNullable(); // TODO: fix false negative.
+ *p.getUnknown()->getNullable()->nullable; // TODO: fix false negative.
+ *p.getUnknown()->getNullable()->nonnull; // TODO: fix false negative.
+
+ *p.getNonnull()->nonnull->getNullable0(); // TODO: fix false negative.
+ *p.getNonnull()->nonnull->getNullable1(); // TODO: fix false negative.
+ *p.getNonnull()->nullable->getUnknown(); // TODO: fix false negative.
+ *p.getNonnull()->nullable->getNullable(); // TODO: fix false negative.
+ *p.getUnknown()->unknown->getUnknown();
+ *p.getUnknown()->unknown->getNullable(); // TODO: fix false negative.
+ *p.getUnknown()->nullable->getNullable(); // TODO: fix false negative.
+ *p.getUnknown()->nullable->getNonnull(); // TODO: fix false negative.
+
+ *p.getNonnull()->getNonnull()->getNullable0(); // TODO: fix false
+ // negative.
+ *p.getNonnull()->getNonnull()->getNullable1(); // TODO: fix false
+ // negative.
+ *p.getNonnull()->getNullable()->getUnknown(); // TODO: fix false
+ // negative.
+ *p.getNonnull()->getNullable()->getNullable(); // TODO: fix false
+ // negative.
+ *p.getUnknown()->getUnknown()->getUnknown();
+ *p.getUnknown()->getUnknown()->getNullable(); // TODO: fix false
+ // negative.
+ *p.getUnknown()->getNullable()->getNullable(); // TODO: fix false
+ // negative.
+ *p.getUnknown()->getNullable()->getNonnull(); // TODO: fix false
+ // negative.
}
)cc");
}
