warn on null assigned to _Nonnull members, locals, and deref after

Author: cs01

clang/include/clang/Analysis/Analyses/FlowNullability.h

@@ -38,6 +38,8 @@ class FlowNullabilityHandler {
                                     QualType ReturnType) {}
   virtual void handleNullableAssignment(const Expr *AssignExpr,
                                         const VarDecl *LHSVar) {}
+  virtual void handleNullableMemberAssignment(const Expr *AssignExpr,
+                                              const FieldDecl *Member) {}
   virtual void handleNullableArgument(const Expr *ArgExpr,
                                       const ParmVarDecl *Param) {}
 

clang/include/clang/Basic/DiagnosticSemaKinds.td

@@ -13026,6 +13026,11 @@ def warn_flow_nullable_field_init : Warning<
   InGroup<FlowNullableAssignment>;
 def note_nullable_field_init_fix : Note<
   "remove '_Nonnull' if this member can be null, or remove the null initializer">;
+def warn_flow_nullable_member_assignment : Warning<
+  "assigning nullable pointer to nonnull member %0">,
+  InGroup<FlowNullableAssignment>;
+def note_nullable_member_assignment_fix : Note<
+  "add a null check before assigning, or remove '_Nonnull' from the member">;
 def note_nullable_assignment_fix : Note<
   "add a null check before assigning, or change the variable type to "
   "'_Nullable'">;

clang/lib/Analysis/FlowNullability.cpp

@@ -1208,21 +1208,32 @@ class TransferFunctions {
                 }
               }
             }
-            if (!Narrowed && isNonnullInit(RHS))
-              Narrowed = true;
-            if (!Narrowed && isNonnullType(BO->getRHS()->getType()))
-              Narrowed = true;
-
-            if (Narrowed) {
-              if (IsThisMember)
-                State.NarrowedThisMembers.insert(FD);
-              else if (BaseVD)
-                State.NarrowedMembers.insert({BaseVD, FD});
-            } else if (isNullableType(BO->getRHS()->getType(), StrictMode,
-                                      DefaultNullability) ||
-                       isNullableInit(RHS)) {
+            // Null constant assigned to _Nonnull member — warn immediately.
+            // Check before isNonnullInit/isNonnullType because implicit
+            // casts can propagate _Nonnull from the LHS onto the RHS type.
+            if (!Narrowed && isNonnullType(FD->getType()) &&
+                isNullableInit(RHS) && !isNonnullInit(RHS)) {
               if (IsThisMember)
                 State.NullableThisMembers.insert(FD);
+              ++NumAssignmentWarnings;
+              Handler.handleNullableMemberAssignment(BO, FD);
+            } else {
+              if (!Narrowed && isNonnullInit(RHS))
+                Narrowed = true;
+              if (!Narrowed && isNonnullType(BO->getRHS()->getType()))
+                Narrowed = true;
+
+              if (Narrowed) {
+                if (IsThisMember)
+                  State.NarrowedThisMembers.insert(FD);
+                else if (BaseVD)
+                  State.NarrowedMembers.insert({BaseVD, FD});
+              } else if (isNullableType(BO->getRHS()->getType(), StrictMode,
+                                        DefaultNullability) ||
+                         isNullableInit(RHS)) {
+                if (IsThisMember)
+                  State.NullableThisMembers.insert(FD);
+              }
             }
 
             // Emit evidence for cross-TU inference.
@@ -1284,18 +1295,23 @@ class TransferFunctions {
                 }
               }
             }
-            if (isNonnullInit(RHS)) {
+            // Null constant assigned to _Nonnull — warn immediately.
+            // Check before isNonnullInit/isNonnullType because implicit
+            // casts can propagate _Nonnull from the LHS onto the RHS type.
+            if (isNonnullType(VD->getType()) && isNullableInit(RHS) &&
+                !isNonnullInit(RHS)) {
+              State.NullableVars.insert(VD);
+              ++NumAssignmentWarnings;
+              Handler.handleNullableAssignment(BO, VD);
+            } else if (isNonnullInit(RHS)) {
               State.NarrowedVars.insert(VD);
               return;
-            }
-            if (isNonnullType(BO->getRHS()->getType())) {
+            } else if (isNonnullType(BO->getRHS()->getType())) {
               State.NarrowedVars.insert(VD);
             } else if (isNullableType(BO->getRHS()->getType(), StrictMode,
                                       DefaultNullability) ||
                        isNullableInit(RHS)) {
               State.NullableVars.insert(VD);
-              // Flow-sensitive assignment check: warn when assigning a
-              // nullable value to a _Nonnull variable.
               if (isNonnullType(VD->getType())) {
                 ++NumAssignmentWarnings;
                 Handler.handleNullableAssignment(BO, VD);
@@ -1861,8 +1877,14 @@ class TransferFunctions {
 
     if (const auto *FD = dyn_cast<FieldDecl>(ME->getMemberDecl())) {
       if (isa<CXXThisExpr>(Base)) {
-        if (!isThisMemberNarrowed(FD))
+        // If flow analysis marked this member nullable (e.g. assigned nullptr),
+        // that overrides the declared _Nonnull type.
+        if (State.NullableThisMembers.contains(FD)) {
+          ++NumDereferenceWarnings;
+          Handler.handleNullableDereference(DerefExpr, ME->getType());
+        } else if (!isThisMemberNarrowed(FD)) {
           checkDeref(DerefExpr, ME->getType());
+        }
       } else if (const auto *DRE = dyn_cast<DeclRefExpr>(Base)) {
         if (const auto *BaseVD = dyn_cast<VarDecl>(DRE->getDecl())) {
           if (!isMemberNarrowed(BaseVD, FD))
@@ -1913,6 +1935,10 @@ class ReturnNonnullTracker : public FlowNullabilityHandler {
   void handleNullableAssignment(const Expr *E, const VarDecl *V) override {
     Inner.handleNullableAssignment(E, V);
   }
+  void handleNullableMemberAssignment(const Expr *E,
+                                      const FieldDecl *M) override {
+    Inner.handleNullableMemberAssignment(E, M);
+  }
   void handleNullableArgument(const Expr *E, const ParmVarDecl *P) override {
     Inner.handleNullableArgument(E, P);
   }

clang/lib/Sema/AnalysisBasedWarnings.cpp

@@ -2984,6 +2984,13 @@ class FlowNullabilityReporter : public FlowNullabilityHandler {
     S.Diag(AssignExpr->getExprLoc(), diag::note_nullable_assignment_fix);
   }
 
+  void handleNullableMemberAssignment(const Expr *AssignExpr,
+                                      const FieldDecl *Member) override {
+    S.Diag(AssignExpr->getExprLoc(), diag::warn_flow_nullable_member_assignment)
+        << Member;
+    S.Diag(AssignExpr->getExprLoc(), diag::note_nullable_member_assignment_fix);
+  }
+
   void handleNullableArgument(const Expr *ArgExpr,
                               const ParmVarDecl *Param) override {
     S.Diag(ArgExpr->getExprLoc(), diag::warn_flow_nullable_argument) << Param;

clang/test/SemaCXX/flow-nullability-nonnull-assign.cpp

@@ -0,0 +1,77 @@
+// flow-nullability-nonnull-assign.cpp - Tests for assigning null to _Nonnull.
+//
+// Covers: field default init, member assignment, local variable assignment,
+// and dereference after null assignment to _Nonnull.
+//
+// RUN: %clang_cc1 -fsyntax-only -fflow-sensitive-nullability -fnullability-default=nullable -std=c++17 -Wno-unused-value %s -verify
+
+struct Config { int timeout; };
+
+// --- Gap 1: _Nonnull field initialized with nullptr in class body ---
+
+struct FieldInitNull {
+  Config* _Nonnull config_ = nullptr; // expected-warning{{initializing nonnull member 'config_'}} expected-note{{remove '_Nonnull'}}
+};
+
+struct FieldInitZero {
+  Config* _Nonnull config_ = 0; // expected-warning{{initializing nonnull member 'config_'}} expected-note{{remove '_Nonnull'}}
+};
+
+struct FieldInitOk {
+  Config* config_ = nullptr; // no warning — not _Nonnull
+};
+
+struct FieldNoInit {
+  Config* _Nonnull config_; // no warning — no initializer
+};
+
+// --- Gap 2: assigning nullptr to _Nonnull member inside method ---
+
+struct MemberAssignNull {
+  Config* _Nonnull config_;
+  MemberAssignNull(Config* _Nonnull c) : config_(c) {}
+  void reset() {
+    config_ = nullptr; // expected-warning{{assigning nullable pointer to nonnull member 'config_'}} expected-note{{add a null check}}
+  }
+};
+
+struct MemberAssignOk {
+  Config* _Nonnull config_;
+  MemberAssignOk(Config* _Nonnull c) : config_(c) {}
+  void swap(Config* _Nonnull other) {
+    config_ = other; // no warning — nonnull to nonnull
+  }
+};
+
+// --- Gap 3: assigning nullptr to _Nonnull local variable ---
+
+void local_assign_null() {
+  Config c;
+  Config* _Nonnull p = &c;
+  p = nullptr; // expected-warning{{assigning nullable pointer to nonnull variable 'p'}} expected-note{{add a null check}}
+}
+
+void local_assign_ok() {
+  Config c1, c2;
+  Config* _Nonnull p = &c1;
+  p = &c2; // no warning — address-of is nonnull
+}
+
+// --- Gap 4: dereference after null assignment to _Nonnull member ---
+
+struct DerefAfterNull {
+  Config* _Nonnull config_;
+  DerefAfterNull(Config* _Nonnull c) : config_(c) {}
+  int bad() {
+    config_ = nullptr; // expected-warning{{assigning nullable pointer to nonnull member 'config_'}} expected-note{{add a null check}}
+    return config_->timeout; // expected-warning{{dereference of nullable pointer}} expected-note{{add a null check}}
+  }
+};
+
+// Deref after null assign to local
+int local_deref_after_null() {
+  Config c;
+  Config* _Nonnull p = &c;
+  p = nullptr; // expected-warning{{assigning nullable pointer to nonnull variable 'p'}} expected-note{{add a null check}}
+  return p->timeout; // expected-warning{{dereference of nullable pointer}} expected-note{{add a null check}}
+}