1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" 2 "http://www.w3.org/TR/html4/strict.dtd"> 3<html> 4<head> 5 <title>FAQ and How to Deal with Common False Positives</title> 6 <link type="text/css" rel="stylesheet" href="menu.css"> 7 <link type="text/css" rel="stylesheet" href="content.css"> 8 <script type="text/javascript" src="scripts/menu.js"></script> 9 <style type="text/css"> 10 tr:first-child { width:20%; } 11 </style> 12</head> 13<body> 14 15<div id="page"> 16<!--#include virtual="menu.html.incl"--> 17 18<div id="content"> 19 20<h1>FAQ and How to Deal with Common False Positives</h1> 21 22<ol> 23 <li><a href="#custom_assert">How do I tell the analyzer that I do not want the bug being 24reported here since my custom error handler will safely end the execution before 25the bug is reached?</a></li> 26 <li><a href="#null_pointer">The analyzer reports a null dereference, but I know that the 27pointer is never null. How can I tell the analyzer that a pointer can never be 28null?</a></li> 29 <li><a href="#dead_store">How do I tell the static analyzer that I don't care about a specific dead store?</a></li> 30 <li><a href="#unused_ivar">How do I tell the static analyzer that I don't care about a specific unused instance variable in Objective C?</a></li> 31 <li><a href="#unlocalized_string">How do I tell the static analyzer that I don't care about a specific unlocalized string?</a></li> 32 <li><a href="#dealloc_mrr">How do I tell the analyzer that my instance variable does not need to be released in -dealloc under Manual Retain/Release?</a></li> 33 <li><a href="#decide_nullability">How do I decide whether a method's return type should be _Nullable or _Nonnull?</a></li> 34 <li><a href="#nullability_intentional_violation">How do I tell the analyzer that I am intentionally violating nullability?</a></li> 35 <li><a href="#use_assert">The analyzer assumes that a loop body is never entered. How can I tell it that the loop body will be entered at least once?</a></li> 36 <li><a href="#suppress_issue">How can I suppress a specific analyzer warning?</a></li> 37 <li><a href="#exclude_code">How can I selectively exclude code the analyzer examines?</a></li> 38</ol> 39 40 41<h4 id="custom_assert" class="faq">Q: How do I tell the analyzer that I do not want the bug being 42reported here since my custom error handler will safely end the execution before 43the bug is reached?</h4> 44 45<img src="images/example_custom_assert.png" alt="example custom assert"> 46 47<p>You can tell the analyzer that this path is unreachable by teaching it about your <a href = "annotations.html#custom_assertions" >custom assertion handlers</a>. For example, you can modify the code segment as following.</p> 48 49<pre class="code_example"> 50void customAssert() <span class="code_highlight">__attribute__((analyzer_noreturn))</span>; 51int foo(int *b) { 52 if (!b) 53 customAssert(); 54 return *b; 55}</pre> 56 57 58<h4 id="null_pointer" class="faq">Q: The analyzer reports a null dereference, but I know that the 59pointer is never null. How can I tell the analyzer that a pointer can never be 60null?</h4> 61 62<img src="images/example_null_pointer.png" alt="example null pointer"> 63 64<p>The reason the analyzer often thinks that a pointer can be null is because the preceding code checked compared it against null. So if you are absolutely sure that it cannot be null, remove the preceding check and, preferably, add an assertion as well. For example, in the code segment above, it will be sufficient to remove the <tt>if (!b)</tt> check. </p> 65 66<pre class="code_example"> 67void usePointer(int *b); 68int foo(int *b) { 69 usePointer(b); 70 return *b; 71}</pre> 72 73<h4 id="dead_store" class="faq">Q: How do I tell the static analyzer that I don't care about a specific dead store?</h4> 74 75<p>When the analyzer sees that a value stored into a variable is never used, it's going to produce a message similar to this one: 76<pre class="code_example">Value stored to 'x' is never read</pre> 77You can use the <tt>(void)x;</tt> idiom to acknowledge that there is a dead store in your code but you do not want it to be reported in the future.</p> 78 79<h4 id="unused_ivar" class="faq">Q: How do I tell the static analyzer that I don't care about a specific unused instance variable in Objective C?</h4> 80 81<p>When the analyzer sees that a value stored into a variable is never used, it is going to produce a message similar to this one: 82<pre class="code_example">Instance variable 'commonName' in class 'HappyBird' is never used by the methods in its @implementation</pre> 83You can add <tt>__attribute__((unused))</tt> to the instance variable declaration to suppress the warning.</p> 84 85<h4 id="unlocalized_string" class="faq">Q: How do I tell the static analyzer that I don't care about a specific unlocalized string?</h4> 86 87<p>When the analyzer sees that an unlocalized string is passed to a method that will present that string to the user, it is going to produce a message similar to this one: 88<pre class="code_example">User-facing text should use localized string macro</pre> 89 90If your project deliberately uses unlocalized user-facing strings (for example, in a debugging UI that is never shown to users), you can suppress the analyzer warnings (and document your intent) with a function that just returns its input but is annotated to return a localized string: 91<pre class="code_example"> 92__attribute__((annotate("returns_localized_nsstring"))) 93static inline NSString *LocalizationNotNeeded(NSString *s) { 94 return s; 95} 96</pre> 97 98You can then call this function when creating your debugging UI: 99<pre class="code_example"> 100[field setStringValue:LocalizationNotNeeded(@"Debug")]; 101</pre> 102 103Some projects may also find it useful to use NSLocalizedString but add "DNL" or "Do Not Localize" to the string contents as a convention: 104<pre class="code_example"> 105UILabel *testLabel = [[UILabel alloc] init]; 106NSString *s = NSLocalizedString(@"Hello <Do Not Localize>", @"For debug purposes"); 107[testLabel setText:s]; 108</pre> 109</p> 110 111<h4 id="dealloc_mrr" class="faq">Q: How do I tell the analyzer that my instance variable does not need to be released in -dealloc under Manual Retain/Release?</h4> 112 113<p>If your class only uses an instance variable for part of its lifetime, it may 114maintain an invariant guaranteeing that the instance variable is always released 115before -dealloc. In this case, you can silence a warning about a missing release 116by either adding <tt>assert(_ivar == nil)</tt> or an explicit release 117<tt>[_ivar release]</tt> (which will be a no-op when the variable is nil) in 118-dealloc. </p> 119 120<h4 id="decide_nullability" class="faq">Q: How do I decide whether a method's return type should be _Nullable or _Nonnull?</h4> 121 122<p> Depending on the implementation of the method, this puts you in one of five situations: 123<ol> 124<li>You actually never return nil.</li> 125<li>You do return nil sometimes, and callers are supposed to handle that. This 126includes cases where your method is documented to return nil given certain 127inputs.</li> 128<li>You return nil based on some external condition (such as an out-of-memory 129error), but the client can't do anything about it either.</li> 130<li>You return nil only when the caller passes input documented to be invalid. 131That means it's the client's fault.</li> 132<li>You return nil in some totally undocumented case.</li> 133</ol> 134</p> 135 136<p>In (1) you should annotate the method as returning a <tt>_Nonnull</tt> 137object.</p> 138<p>In (2) the method should be marked <tt>_Nullable.</tt></p> 139<p>In (3) you should probably annotate the method <tt>_Nonnull</tt>. Why? 140Because no callers will actually check for nil, given that they can't do 141anything about the situation and don't know what went wrong. At this point 142things have gone so poorly that there's basically no way to recover.</p> 143<p>The least happy case is (4) because the resulting program will almost 144certainly either crash or just silently do the wrong thing. 145If this is a new method or you control the callers, you can use 146<tt>NSParameterAssert()</tt> (or the equivalent) to check the precondition and 147remove the nil return. But if you don't control the callers and they rely on 148this behavior, you should return mark the method <tt>_Nonnull</tt> and return 149nil <a href="#nullability_intentional_violation">cast to _Nonnull</a> anyway. 150(Note that (4) doesn't apply in cases where the caller can't know they passed 151bad parameters. For example, 152<tt>+[NSData dataWithContentsOfFile:options:error:]</tt> will fail if the file 153doesn't exist, but there's no way to check for that in advance. This means 154you're really in (2).)</p> 155<p>If you're in (5), document it, then figure out if you're now in (2), (3), or 156(4). :-)</p> 157 158<h4 id="nullability_intentional_violation" class="faq">Q: How do I tell the analyzer that I am intentionally violating nullability?</h4> 159 160<p>In some cases, it may make sense for methods to intentionally violate 161nullability. For example, your method may — for reasons of backward 162compatibility — chose to return nil and log an error message in a method 163with a non-null return type when the client violated a documented precondition 164rather than check the precondition with <tt>NSAssert()</tt>. In these cases, you 165can suppress the analyzer warning with a cast: 166<pre class="code_example"> 167 return (id _Nonnull)nil; 168</pre> 169Note that this cast does not affect code generation. 170</p> 171 172<h4 id="use_assert" class="faq">Q: The analyzer assumes that a loop body is never entered. How can I tell it that the loop body will be entered at least once?</h4> 173 174<img src="images/example_use_assert.png" alt="example use assert"> 175 176<p> In the contrived example above, the analyzer has detected that the body of 177the loop is never entered for the case where <tt>length <= 0</tt>. In this 178particular example, you may know that the loop will always be entered because 179the input parameter <tt>length</tt> will be greater than zero in all calls to this 180function. You can teach the analyzer facts about your code as well as document 181it by using assertions. By adding <tt>assert(length > 0)</tt> in the beginning 182of the function, you tell the analyzer that your code is never expecting a zero 183or a negative value, so it won't need to test the correctness of those paths. 184</p> 185 186<pre class="code_example"> 187int foo(int length) { 188 int x = 0; 189 <span class="code_highlight">assert(length > 0);</span> 190 for (int i = 0; i < length; i++) 191 x += 1; 192 return length/x; 193} 194</pre> 195 196<h4 id="suppress_issue" class="faq">Q: How can I suppress a specific analyzer warning?</h4> 197 198<p>There is currently no solid mechanism for suppressing an analyzer warning, 199although this is currently being investigated. When you encounter an analyzer 200bug/false positive, check if it's one of the issues discussed above or if the 201analyzer <a href = "annotations.html#custom_assertions" >annotations</a> can 202resolve the issue. Second, please <a href = "filing_bugs.html">report it</a> to 203help us improve user experience. As the last resort, consider using <tt>__clang_analyzer__</tt> macro 204<a href = "faq.html#exclude_code" >described below</a>.</p> 205 206<h4 id="exclude_code" class="faq">Q: How can I selectively exclude code the analyzer examines?</h4> 207 208<p>When the static analyzer is using clang to parse source files, it implicitly 209defines the preprocessor macro <tt>__clang_analyzer__</tt>. One can use this 210macro to selectively exclude code the analyzer examines. Here is an example: 211 212<pre class="code_example"> 213#ifndef __clang_analyzer__ 214// Code not to be analyzed 215#endif 216</pre> 217 218This usage is discouraged because it makes the code dead to the analyzer from 219now on. Instead, we prefer that users file bugs against the analyzer when it flags 220false positives. 221</p> 222 223</div> 224</div> 225</body> 226</html> 227