• Home
  • History
  • Annotate
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
2          "http://www.w3.org/TR/html4/strict.dtd">
3<html>
4<head>
5  <title>FAQ and How to Deal with Common False Positives</title>
6  <link type="text/css" rel="stylesheet" href="menu.css">
7  <link type="text/css" rel="stylesheet" href="content.css">
8  <script type="text/javascript" src="scripts/menu.js"></script>
9  <style type="text/css">
10    tr:first-child { width:20%; }
11  </style>
12</head>
13<body>
14
15<div id="page">
16<!--#include virtual="menu.html.incl"-->
17
18<div id="content">
19
20<h1>FAQ and How to Deal with Common False Positives</h1>
21
22<ol>
23  <li><a href="#custom_assert">How do I tell the analyzer that I do not want the bug being
24reported here since my custom error handler will safely end the execution before
25the bug is reached?</a></li>
26  <li><a href="#null_pointer">The analyzer reports a null dereference, but I know that the
27pointer is never null. How can I tell the analyzer that a pointer can never be
28null?</a></li>
29  <li><a href="#dead_store">How do I tell the static analyzer that I don't care about a specific dead store?</a></li>
30  <li><a href="#unused_ivar">How do I tell the static analyzer that I don't care about a specific unused instance variable in Objective C?</a></li>
31  <li><a href="#unlocalized_string">How do I tell the static analyzer that I don't care about a specific unlocalized string?</a></li>
32  <li><a href="#dealloc_mrr">How do I tell the analyzer that my instance variable does not need to be released in -dealloc under Manual Retain/Release?</a></li>
33  <li><a href="#decide_nullability">How do I decide whether a method's return type should be _Nullable or _Nonnull?</a></li>
34  <li><a href="#nullability_intentional_violation">How do I tell the analyzer that I am intentionally violating nullability?</a></li>
35  <li><a href="#use_assert">The analyzer assumes that a loop body is never entered.  How can I tell it that the loop body will be entered at least once?</a></li>
36  <li><a href="#suppress_issue">How can I suppress a specific analyzer warning?</a></li>
37  <li><a href="#exclude_code">How can I selectively exclude code the analyzer examines?</a></li>
38</ol>
39
40
41<h4 id="custom_assert" class="faq">Q: How do I tell the analyzer that I do not want the bug being
42reported here since my custom error handler will safely end the execution before
43the bug is reached?</h4>
44
45<img src="images/example_custom_assert.png" alt="example custom assert">
46
47<p>You can tell the analyzer that this path is unreachable by teaching it about your <a href = "annotations.html#custom_assertions" >custom assertion handlers</a>. For example, you can modify the code segment as following.</p>
48
49<pre class="code_example">
50void customAssert() <span class="code_highlight">__attribute__((analyzer_noreturn))</span>;
51int foo(int *b) {
52  if (!b)
53    customAssert();
54  return *b;
55}</pre>
56
57
58<h4 id="null_pointer" class="faq">Q: The analyzer reports a null dereference, but I know that the
59pointer is never null. How can I tell the analyzer that a pointer can never be
60null?</h4>
61
62<img src="images/example_null_pointer.png" alt="example null pointer">
63
64<p>The reason the analyzer often thinks that a pointer can be null is because the preceding code checked compared it against null. So if you are absolutely sure that it cannot be null, remove the preceding check and, preferably, add an assertion as well. For example, in the code segment above, it will be sufficient to remove the <tt>if (!b)</tt> check. </p>
65
66<pre class="code_example">
67void usePointer(int *b);
68int foo(int *b) {
69  usePointer(b);
70  return *b;
71}</pre>
72
73<h4 id="dead_store" class="faq">Q: How do I tell the static analyzer that I don't care about a specific dead store?</h4>
74
75<p>When the analyzer sees that a value stored into a variable is never used, it's going to produce a message similar to this one:
76<pre class="code_example">Value stored to 'x' is never read</pre>
77You can use the <tt>(void)x;</tt> idiom to acknowledge that there is a dead store in your code but you do not want it to be reported in the future.</p>
78
79<h4 id="unused_ivar" class="faq">Q: How do I tell the static analyzer that I don't care about a specific unused instance variable in Objective C?</h4>
80
81<p>When the analyzer sees that a value stored into a variable is never used, it is going to produce a message similar to this one:
82<pre class="code_example">Instance variable 'commonName' in class 'HappyBird' is never used by the methods in its @implementation</pre>
83You can add <tt>__attribute__((unused))</tt> to the instance variable declaration to suppress the warning.</p>
84
85<h4 id="unlocalized_string" class="faq">Q: How do I tell the static analyzer that I don't care about a specific unlocalized string?</h4>
86
87<p>When the analyzer sees that an unlocalized string is passed to a method that will present that string to the user, it is going to produce a message similar to this one:
88<pre class="code_example">User-facing text should use localized string macro</pre>
89
90If your project deliberately uses unlocalized user-facing strings (for example, in a debugging UI that is never shown to users), you can suppress the analyzer warnings (and document your intent) with a function that just returns its input but is annotated to return a localized string:
91<pre class="code_example">
92__attribute__((annotate("returns_localized_nsstring")))
93static inline NSString *LocalizationNotNeeded(NSString *s) {
94  return s;
95}
96</pre>
97
98You can then call this function when creating your debugging UI:
99<pre class="code_example">
100[field setStringValue:LocalizationNotNeeded(@"Debug")];
101</pre>
102
103Some projects may also find it useful to use NSLocalizedString but add "DNL" or "Do Not Localize" to the string contents as a convention:
104<pre class="code_example">
105UILabel *testLabel = [[UILabel alloc] init];
106NSString *s = NSLocalizedString(@"Hello &lt;Do Not Localize&gt;", @"For debug purposes");
107[testLabel setText:s];
108</pre>
109</p>
110
111<h4 id="dealloc_mrr" class="faq">Q: How do I tell the analyzer that my instance variable does not need to be released in -dealloc under Manual Retain/Release?</h4>
112
113<p>If your class only uses an instance variable for part of its lifetime, it may
114maintain an invariant guaranteeing that the instance variable is always released
115before -dealloc. In this case, you can silence a warning about a missing release
116by either adding <tt>assert(_ivar == nil)</tt> or an explicit release
117<tt>[_ivar release]</tt> (which will be a no-op when the variable is nil) in
118-dealloc. </p>
119
120<h4 id="decide_nullability" class="faq">Q: How do I decide whether a method's return type should be _Nullable or _Nonnull?</h4>
121
122<p> Depending on the implementation of the method, this puts you in one of five situations:
123<ol>
124<li>You actually never return nil.</li>
125<li>You do return nil sometimes, and callers are supposed to handle that. This
126includes cases where your method is documented to return nil given certain
127inputs.</li>
128<li>You return nil based on some external condition (such as an out-of-memory
129error), but the client can't do anything about it either.</li>
130<li>You return nil only when the caller passes input documented to be invalid.
131That means it's the client's fault.</li>
132<li>You return nil in some totally undocumented case.</li>
133</ol>
134</p>
135
136<p>In (1) you should annotate the method as returning a <tt>_Nonnull</tt>
137object.</p>
138<p>In (2) the method should be marked <tt>_Nullable.</tt></p>
139<p>In (3) you should probably annotate the method <tt>_Nonnull</tt>. Why?
140Because no callers will actually check for nil, given that they can't do
141anything about the situation and don't know what went wrong. At this point
142things have gone so poorly that there's basically no way to recover.</p>
143<p>The least happy case is (4) because the resulting program will almost
144certainly either crash or just silently do the wrong thing.
145If this is a new method or you control the callers, you can use
146<tt>NSParameterAssert()</tt> (or the equivalent) to check the precondition and
147remove the nil return. But if you don't control the callers and they rely on
148this behavior, you should return mark the method <tt>_Nonnull</tt> and return
149nil <a href="#nullability_intentional_violation">cast to _Nonnull</a> anyway.
150(Note that (4) doesn't apply in cases where the caller can't know they passed
151bad parameters. For example,
152<tt>+[NSData dataWithContentsOfFile:options:error:]</tt> will fail if the file
153doesn't exist, but there's no way to check for that in advance. This means
154you're really in (2).)</p>
155<p>If you're in (5), document it, then figure out if you're now in (2), (3), or
156(4). :-)</p>
157
158<h4 id="nullability_intentional_violation" class="faq">Q: How do I tell the analyzer that I am intentionally violating nullability?</h4>
159
160<p>In some cases, it may make sense for methods to intentionally violate
161nullability. For example, your method may &mdash; for reasons of backward
162compatibility &mdash; chose to return nil and log an error message in a method
163with a non-null return type when the client violated a documented precondition
164rather than check the precondition with <tt>NSAssert()</tt>. In these cases, you
165can suppress the analyzer warning with a cast:
166<pre class="code_example">
167    return (id _Nonnull)nil;
168</pre>
169Note that this cast does not affect code generation.
170</p>
171
172<h4 id="use_assert" class="faq">Q: The analyzer assumes that a loop body is never entered.  How can I tell it that the loop body will be entered at least once?</h4>
173
174<img src="images/example_use_assert.png" alt="example use assert">
175
176<p> In the contrived example above, the analyzer has detected that the body of
177the loop is never entered for the case where <tt>length <= 0</tt>. In this
178particular example, you may know that the loop will always be entered because
179the input parameter <tt>length</tt> will be greater than zero in all calls to this
180function. You can teach the analyzer facts about your code as well as document
181it by using assertions. By adding <tt>assert(length > 0)</tt> in the beginning
182of the function, you tell the analyzer that your code is never expecting a zero
183or a negative value, so it won't need to test the correctness of those paths.
184</p>
185
186<pre class="code_example">
187int foo(int length) {
188  int x = 0;
189  <span class="code_highlight">assert(length > 0);</span>
190  for (int i = 0; i < length; i++)
191    x += 1;
192  return length/x;
193}
194</pre>
195
196<h4 id="suppress_issue" class="faq">Q: How can I suppress a specific analyzer warning?</h4>
197
198<p>There is currently no solid mechanism for suppressing an analyzer warning,
199although this is currently being investigated. When you encounter an analyzer
200bug/false positive, check if it's one of the issues discussed above or if the
201analyzer <a href = "annotations.html#custom_assertions" >annotations</a> can
202resolve the issue. Second, please <a href = "filing_bugs.html">report it</a> to
203help us improve user experience. As the last resort, consider using <tt>__clang_analyzer__</tt> macro
204<a href = "faq.html#exclude_code" >described below</a>.</p>
205
206<h4 id="exclude_code" class="faq">Q: How can I selectively exclude code the analyzer examines?</h4>
207
208<p>When the static analyzer is using clang to parse source files, it implicitly
209defines the preprocessor macro <tt>__clang_analyzer__</tt>. One can use this
210macro to selectively exclude code the analyzer examines. Here is an example:
211
212<pre class="code_example">
213#ifndef __clang_analyzer__
214// Code not to be analyzed
215#endif
216</pre>
217
218This usage is discouraged because it makes the code dead to the analyzer from
219now on. Instead, we prefer that users file bugs against the analyzer when it flags
220false positives.
221</p>
222
223</div>
224</div>
225</body>
226</html>
227