pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5a71583c72'
${ noResults }
infer_clone/infer/tests/codetoanalyze/java/nullsafe/StrictMode.java

288 lines
8.6 KiB
Raw Normal View History Unescape

[nullsafe] Introduce Strict mode Summary: This is the first take on strict mode semantics. The main invariant of strict mode is the following: If the function passes `NullsafeStrict` check and its return value is NOT annotated as Nullable, then the function does not indeed return nulls, subject to unsoundness issues (which should either be fixed, or should rarely happen in practice). This invariant helps the caller in two ways: 1. Dangerous usages of non strict functions are visible, so the caller is enforced to check them (via assertions or conditions), or strictify them. 2. When the function is strict, the caller does not need to worry about being defensive. Biggest known issues so far: 1. Condition redundant and over-annotated warnings don't fully respect strict mode, and this leads to stupid false positives. (There is so much more stupid false positives in condition redundant anyway, so not particularly a big deal for now). 2. Error reporting is not specific to mode. (E.g. we don't distinct real nullables and non-trusted non-nulls, which can be misleading). To be improved as a follow up. Reviewed By: artempyanykh Differential Revision: D17978166 fbshipit-source-id: d6146ad71
5 years ago
/*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
[nullsafe][tests] Rename package name from nullsafe_default to nullsafe Summary: Let's make package name match the directory name to follow Java's file lookup conventions Reviewed By: skcho Differential Revision: D22183964 fbshipit-source-id: b9958b975
4 years ago
package codetoanalyze.java.nullsafe;
[nullsafe] Introduce Strict mode Summary: This is the first take on strict mode semantics. The main invariant of strict mode is the following: If the function passes `NullsafeStrict` check and its return value is NOT annotated as Nullable, then the function does not indeed return nulls, subject to unsoundness issues (which should either be fixed, or should rarely happen in practice). This invariant helps the caller in two ways: 1. Dangerous usages of non strict functions are visible, so the caller is enforced to check them (via assertions or conditions), or strictify them. 2. When the function is strict, the caller does not need to worry about being defensive. Biggest known issues so far: 1. Condition redundant and over-annotated warnings don't fully respect strict mode, and this leads to stupid false positives. (There is so much more stupid false positives in condition redundant anyway, so not particularly a big deal for now). 2. Error reporting is not specific to mode. (E.g. we don't distinct real nullables and non-trusted non-nulls, which can be misleading). To be improved as a follow up. Reviewed By: artempyanykh Differential Revision: D17978166 fbshipit-source-id: d6146ad71
5 years ago
import com.facebook.infer.annotation.NullsafeStrict;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
@NullsafeStrict
class Strict {
[nullsafe] Show Strict mode violations as errors: part 3 Summary: This diff implements this for Field Not Initialized check Reviewed By: artempyanykh Differential Revision: D19393989 fbshipit-source-id: cf60e8d53
5 years ago
public String notInitializedIsBAD;
[nullsafe] Introduce Strict mode Summary: This is the first take on strict mode semantics. The main invariant of strict mode is the following: If the function passes `NullsafeStrict` check and its return value is NOT annotated as Nullable, then the function does not indeed return nulls, subject to unsoundness issues (which should either be fixed, or should rarely happen in practice). This invariant helps the caller in two ways: 1. Dangerous usages of non strict functions are visible, so the caller is enforced to check them (via assertions or conditions), or strictify them. 2. When the function is strict, the caller does not need to worry about being defensive. Biggest known issues so far: 1. Condition redundant and over-annotated warnings don't fully respect strict mode, and this leads to stupid false positives. (There is so much more stupid false positives in condition redundant anyway, so not particularly a big deal for now). 2. Error reporting is not specific to mode. (E.g. we don't distinct real nullables and non-trusted non-nulls, which can be misleading). To be improved as a follow up. Reviewed By: artempyanykh Differential Revision: D17978166 fbshipit-source-id: d6146ad71
5 years ago
public @Nullable String nullable;
public @Nonnull String nonnull = "";
public @Nullable String getNullable() {
return nullable;
}
public String getNonnull() {
return nonnull;
}
[nullsafe] Make Strict mode respect static methods Summary: The wrong function was used when we tried to see if the class is annotated with NullsafeStrict. This made it work only for non-static methods. Now we use the proper way. Reviewed By: ngorogiannis Differential Revision: D18113848 fbshipit-source-id: 02b7555be
5 years ago
public static @Nullable String staticNullable() {
return null;
}
public static String staticNonnull() {
return "";
}
[nullsafe] Introduce Strict mode Summary: This is the first take on strict mode semantics. The main invariant of strict mode is the following: If the function passes `NullsafeStrict` check and its return value is NOT annotated as Nullable, then the function does not indeed return nulls, subject to unsoundness issues (which should either be fixed, or should rarely happen in practice). This invariant helps the caller in two ways: 1. Dangerous usages of non strict functions are visible, so the caller is enforced to check them (via assertions or conditions), or strictify them. 2. When the function is strict, the caller does not need to worry about being defensive. Biggest known issues so far: 1. Condition redundant and over-annotated warnings don't fully respect strict mode, and this leads to stupid false positives. (There is so much more stupid false positives in condition redundant anyway, so not particularly a big deal for now). 2. Error reporting is not specific to mode. (E.g. we don't distinct real nullables and non-trusted non-nulls, which can be misleading). To be improved as a follow up. Reviewed By: artempyanykh Differential Revision: D17978166 fbshipit-source-id: d6146ad71
5 years ago
// 1. Inside the same class, we trust annotations.
private void sameClass_dereferenceNullableMethodIsBad() {
getNullable().toString();
}
private void sameClass_dereferenceNonnullMethodIsOK() {
getNonnull().toString();
}
[nullsafe] Make Strict mode respect static methods Summary: The wrong function was used when we tried to see if the class is annotated with NullsafeStrict. This made it work only for non-static methods. Now we use the proper way. Reviewed By: ngorogiannis Differential Revision: D18113848 fbshipit-source-id: 02b7555be
5 years ago
private void sameClass_dereferenceNullableStaticMethodIsBad() {
staticNullable().toString();
}
private void sameClass_dereferenceNonnullStaticMethodIsOK() {
staticNonnull().toString();
}
[nullsafe] Introduce Strict mode Summary: This is the first take on strict mode semantics. The main invariant of strict mode is the following: If the function passes `NullsafeStrict` check and its return value is NOT annotated as Nullable, then the function does not indeed return nulls, subject to unsoundness issues (which should either be fixed, or should rarely happen in practice). This invariant helps the caller in two ways: 1. Dangerous usages of non strict functions are visible, so the caller is enforced to check them (via assertions or conditions), or strictify them. 2. When the function is strict, the caller does not need to worry about being defensive. Biggest known issues so far: 1. Condition redundant and over-annotated warnings don't fully respect strict mode, and this leads to stupid false positives. (There is so much more stupid false positives in condition redundant anyway, so not particularly a big deal for now). 2. Error reporting is not specific to mode. (E.g. we don't distinct real nullables and non-trusted non-nulls, which can be misleading). To be improved as a follow up. Reviewed By: artempyanykh Differential Revision: D17978166 fbshipit-source-id: d6146ad71
5 years ago
private void sameClass_dereferenceNullableFieldIsBad() {
nullable.toString();
}
private void sameClass_dereferenceNonnullFieldIsOK() {
nonnull.toString();
}
private String sameClass_convertingNullableToNonnullIsBad() {
return getNullable();
}
private String sameClass_convertingNonnullToNonnullIsOK() {
return getNonnull();
}
// 2. We trust annotations that came from other classes annotated as strict
private void strictClass_dereferenceNullableMethodIsBad() {
(new OtherStrict()).getNullable().toString();
}
private void strictClass_dereferenceNonnullMethodIsOK() {
(new OtherStrict()).getNonnull().toString();
}
[nullsafe] Make Strict mode respect static methods Summary: The wrong function was used when we tried to see if the class is annotated with NullsafeStrict. This made it work only for non-static methods. Now we use the proper way. Reviewed By: ngorogiannis Differential Revision: D18113848 fbshipit-source-id: 02b7555be
5 years ago
private void strictClass_dereferenceNullableStaticMethodIsBad() {
OtherStrict.staticNullable().toString();
}
private void strictClass_dereferenceNonnullStaticMethodIsOK() {
OtherStrict.staticNonnull().toString();
}
[nullsafe] Introduce Strict mode Summary: This is the first take on strict mode semantics. The main invariant of strict mode is the following: If the function passes `NullsafeStrict` check and its return value is NOT annotated as Nullable, then the function does not indeed return nulls, subject to unsoundness issues (which should either be fixed, or should rarely happen in practice). This invariant helps the caller in two ways: 1. Dangerous usages of non strict functions are visible, so the caller is enforced to check them (via assertions or conditions), or strictify them. 2. When the function is strict, the caller does not need to worry about being defensive. Biggest known issues so far: 1. Condition redundant and over-annotated warnings don't fully respect strict mode, and this leads to stupid false positives. (There is so much more stupid false positives in condition redundant anyway, so not particularly a big deal for now). 2. Error reporting is not specific to mode. (E.g. we don't distinct real nullables and non-trusted non-nulls, which can be misleading). To be improved as a follow up. Reviewed By: artempyanykh Differential Revision: D17978166 fbshipit-source-id: d6146ad71
5 years ago
private void strictClass_dereferenceNullableFieldIsBad() {
(new OtherStrict()).nullable.toString();
}
private void strictClass_dereferenceNonnullFieldIsOK() {
(new OtherStrict()).nonnull.toString();
}
private String strictClass_convertingNullableToNonnullIsBad() {
return (new OtherStrict()).getNullable();
}
private String strictClass_convertingNonnullToNonnullIsOK() {
return (new OtherStrict()).getNonnull();
}
// 3. We DON'T trust annotations that came from other classes NOT annotated as strict
// when it comes to dereferencing or converting them to nullable.
private void nonStrictClass_dereferenceNullableMethodIsBad() {
(new NonStrict()).getNullable().toString();
}
private void nonStrictClass_dereferenceNonnullMethodIsBad() {
// even that it is declared as nonnull, can not dereference it without checking before
(new NonStrict()).getNonnull().toString();
}
[nullsafe] Make Strict mode respect static methods Summary: The wrong function was used when we tried to see if the class is annotated with NullsafeStrict. This made it work only for non-static methods. Now we use the proper way. Reviewed By: ngorogiannis Differential Revision: D18113848 fbshipit-source-id: 02b7555be
5 years ago
private void nonStrictClass_dereferenceNullableStaticMethodIsBad() {
NonStrict.staticNullable().toString();
}
private void nonStrictClass_dereferenceNonnullStaticMethodIsBad() {
// even that it is declared as nonnull, can not dereference it without checking before
NonStrict.staticNonnull().toString();
}
[nullsafe] Introduce Strict mode Summary: This is the first take on strict mode semantics. The main invariant of strict mode is the following: If the function passes `NullsafeStrict` check and its return value is NOT annotated as Nullable, then the function does not indeed return nulls, subject to unsoundness issues (which should either be fixed, or should rarely happen in practice). This invariant helps the caller in two ways: 1. Dangerous usages of non strict functions are visible, so the caller is enforced to check them (via assertions or conditions), or strictify them. 2. When the function is strict, the caller does not need to worry about being defensive. Biggest known issues so far: 1. Condition redundant and over-annotated warnings don't fully respect strict mode, and this leads to stupid false positives. (There is so much more stupid false positives in condition redundant anyway, so not particularly a big deal for now). 2. Error reporting is not specific to mode. (E.g. we don't distinct real nullables and non-trusted non-nulls, which can be misleading). To be improved as a follow up. Reviewed By: artempyanykh Differential Revision: D17978166 fbshipit-source-id: d6146ad71
5 years ago
private void nonStrictClass_dereferenceNullableFieldIsBad() {
(new NonStrict()).nullable.toString();
}
private void nonStrictClass_dereferenceNonnullFieldIsBad() {
// even that it is declared as nonnull, can not dereference it without checking before
(new NonStrict()).nonnull.toString();
}
private String nonStrictClass_convertingNullableToNonnullIsBad() {
return (new NonStrict()).getNullable();
}
[nullsafe] Primitive types are always Nonnull Summary: Primitive types are not annotated. Because of that, we used to implicitly derive `DeclaredNonnull` type for them. This worked fine, but this leads to errors in Strict mode, which does not believe DeclaredNonnull type. Now lets offifically teach nullsafe that primitive types are non-nullable. Reviewed By: jvillard Differential Revision: D18114623 fbshipit-source-id: 227217931
5 years ago
public int usingPrimitiveTypesFromNonStrictIsOK() {
// Of course, primitive types can not be nullable so it
// does not matter if they are used from NonStrict
return NonStrict.getPrimitiveTypeValue();
}
[nullsafe] Enum values can be used as non-null without strictification Summary: According to Java semantics, they are always non-null. Internally they are represented as static fields, so they have DeclaredNonnull nullability, which means NullsafeStrict mode would refuse to use them without strictification. Lets teach nullsafe that these guys are non-nullables. See also FN in test case. Reviewed By: ngorogiannis Differential Revision: D19024547 fbshipit-source-id: 8c120fa50
5 years ago
// We don't require strictifying enums: their values are non-nullables
private SomeEnum usingEnumValuesAsNonnullIsOK() {
String str = SomeEnum.FIRST_VALUE.toString(); // can dereference
SomeEnum.FIRST_VALUE.someMethod(); // can dereference via calling a enum-specific method
return SomeEnum.SECOND_VALUE; // can convert to nonnull
}
// FAKE_VALUE is not a value, but just a static fields so should require strictification
// (but it does not)
private SomeEnum FN_usingNonStrictifiedStaticFieldsInEnumsShouldBeBad() {
String str = SomeEnum.FAKE_VALUE.toString(); // should not be able to dereference
SomeEnum.FAKE_VALUE.someMethod(); // should not be able to dereference
return SomeEnum.FAKE_VALUE; // should not be able to convert to nonnull
}
[nullsafe] Model nullability of special enum methods Summary: These 2 methods are automatically supplied for all enums, with predefined behavior and nullability: https://www.geeksforgeeks.org/enum-in-java/ (Note that they are not part of java.lang.Enum class). This will allow using them in unvetted third part and under strict mode. Reviewed By: artempyanykh Differential Revision: D21501716 fbshipit-source-id: 104082d15
5 years ago
private SomeEnum[] enumValuesIsNonnullable() {
// values() is a special enum method which is never nullable
return SomeEnum.values();
}
private SomeEnum enumValueOfIsNonnullable() {
// valueOf() is a special enum method which is never nullable
return SomeEnum.valueOf("this will throw but won't return null");
}
[nullsafe] Introduce Strict mode Summary: This is the first take on strict mode semantics. The main invariant of strict mode is the following: If the function passes `NullsafeStrict` check and its return value is NOT annotated as Nullable, then the function does not indeed return nulls, subject to unsoundness issues (which should either be fixed, or should rarely happen in practice). This invariant helps the caller in two ways: 1. Dangerous usages of non strict functions are visible, so the caller is enforced to check them (via assertions or conditions), or strictify them. 2. When the function is strict, the caller does not need to worry about being defensive. Biggest known issues so far: 1. Condition redundant and over-annotated warnings don't fully respect strict mode, and this leads to stupid false positives. (There is so much more stupid false positives in condition redundant anyway, so not particularly a big deal for now). 2. Error reporting is not specific to mode. (E.g. we don't distinct real nullables and non-trusted non-nulls, which can be misleading). To be improved as a follow up. Reviewed By: artempyanykh Differential Revision: D17978166 fbshipit-source-id: d6146ad71
5 years ago
private String nonStrictClass_convertingNonnullToNonnullIsBad() {
// even that it is declared as nonnull, can not convert it to nonnull it without checking before
return (new NonStrict()).getNonnull();
}
// 4. We don't completely prohibit using non-strict from strict, but we do require extra checks
// or adding defensive annotations.
private void nonStrictClass_dereferenceNonnullFieldAfterCheckIsOK() {
NonStrict o = new NonStrict();
if (o.nonnull != null) {
// This works because Nullsafe assumes that the field won't be modified between the calls
// (e.g. in multithreading context)
o.nonnull.toString();
}
}
private void nonStrictClass_dereferenceNonnullMethodAfterCheckIsOK() {
NonStrict o = new NonStrict();
if (o.getNonnull() != null) {
// This works because Nullsafe assumes that all methods are determenistic and side-effect
// free, so the second call won't return null.
o.getNonnull().toString();
}
}
private @Nullable String nonStrictClass_convertingNonnullToNullableIsOK() {
return (new NonStrict()).getNonnull();
}
// 5. Main promise of strict mode: if the function is not annotated as nullable,
// it won't return null.
// So, if a function is annotated as strict, no extra check on caller's side is required.
// But strict mode DOES NOT guarantee there will be absolutely no NPE in callees:
// a) Even if strict mode calls only strict mode, there can be assertions that will throw NPE.
// b) We allow calling non-strict functions, and they internally can be inconsistent and throw
// NPE.
// c) We even allow passing values obtained from non-strict code, to other parts of non-strict
// code (e.g. we allow glueing 2 non-strict classes together inside a strict class, which might
// potentially lead to NPE if one of annotations is untrusted).
private void propagatingNonnullFromNonStrictToStrictIsBad() {
NonStrict nonStrict = new NonStrict();
OtherStrict strict = new OtherStrict();
nonStrict.nonnull = strict.getNonnull();
}
private void propagatingNonnullBetweenTwoNonStrictObjectsIsOK() {
NonStrict nonStrict1 = new NonStrict();
NonStrict nonStrict2 = new NonStrict();
// Though getNonnull() is declared as non-nullable, is not strictly checked
// so there is a possibility that it can return null, e.g. if it calls to a third-party
// libraries. this null can leak to `nonnull` field, which might be a bad thing and lead to
// issues.
// This is OK for strict mode.
nonStrict1.nonnull = nonStrict2.getNonnull();
}
}
@NullsafeStrict
class OtherStrict {
public @Nullable String nullable;
public String nonnull = "";
public @Nullable String getNullable() {
return nullable;
}
public String getNonnull() {
return nonnull;
}
[nullsafe] Make Strict mode respect static methods Summary: The wrong function was used when we tried to see if the class is annotated with NullsafeStrict. This made it work only for non-static methods. Now we use the proper way. Reviewed By: ngorogiannis Differential Revision: D18113848 fbshipit-source-id: 02b7555be
5 years ago
public static @Nullable String staticNullable() {
return null;
}
public static String staticNonnull() {
return "";
}
[nullsafe] Introduce Strict mode Summary: This is the first take on strict mode semantics. The main invariant of strict mode is the following: If the function passes `NullsafeStrict` check and its return value is NOT annotated as Nullable, then the function does not indeed return nulls, subject to unsoundness issues (which should either be fixed, or should rarely happen in practice). This invariant helps the caller in two ways: 1. Dangerous usages of non strict functions are visible, so the caller is enforced to check them (via assertions or conditions), or strictify them. 2. When the function is strict, the caller does not need to worry about being defensive. Biggest known issues so far: 1. Condition redundant and over-annotated warnings don't fully respect strict mode, and this leads to stupid false positives. (There is so much more stupid false positives in condition redundant anyway, so not particularly a big deal for now). 2. Error reporting is not specific to mode. (E.g. we don't distinct real nullables and non-trusted non-nulls, which can be misleading). To be improved as a follow up. Reviewed By: artempyanykh Differential Revision: D17978166 fbshipit-source-id: d6146ad71
5 years ago
}
class NonStrict {
public @Nullable String nullable;
public String nonnull = "";
public @Nullable String getNullable() {
return nullable;
}
public String getNonnull() {
return nonnull;
}
[nullsafe] Make Strict mode respect static methods Summary: The wrong function was used when we tried to see if the class is annotated with NullsafeStrict. This made it work only for non-static methods. Now we use the proper way. Reviewed By: ngorogiannis Differential Revision: D18113848 fbshipit-source-id: 02b7555be
5 years ago
public static @Nullable String staticNullable() {
return null;
}
public static String staticNonnull() {
return "";
}
[nullsafe] Primitive types are always Nonnull Summary: Primitive types are not annotated. Because of that, we used to implicitly derive `DeclaredNonnull` type for them. This worked fine, but this leads to errors in Strict mode, which does not believe DeclaredNonnull type. Now lets offifically teach nullsafe that primitive types are non-nullable. Reviewed By: jvillard Differential Revision: D18114623 fbshipit-source-id: 227217931
5 years ago
public static int getPrimitiveTypeValue() {
return 0;
}
[nullsafe] Introduce Strict mode Summary: This is the first take on strict mode semantics. The main invariant of strict mode is the following: If the function passes `NullsafeStrict` check and its return value is NOT annotated as Nullable, then the function does not indeed return nulls, subject to unsoundness issues (which should either be fixed, or should rarely happen in practice). This invariant helps the caller in two ways: 1. Dangerous usages of non strict functions are visible, so the caller is enforced to check them (via assertions or conditions), or strictify them. 2. When the function is strict, the caller does not need to worry about being defensive. Biggest known issues so far: 1. Condition redundant and over-annotated warnings don't fully respect strict mode, and this leads to stupid false positives. (There is so much more stupid false positives in condition redundant anyway, so not particularly a big deal for now). 2. Error reporting is not specific to mode. (E.g. we don't distinct real nullables and non-trusted non-nulls, which can be misleading). To be improved as a follow up. Reviewed By: artempyanykh Differential Revision: D17978166 fbshipit-source-id: d6146ad71
5 years ago
}
[nullsafe] Enum values can be used as non-null without strictification Summary: According to Java semantics, they are always non-null. Internally they are represented as static fields, so they have DeclaredNonnull nullability, which means NullsafeStrict mode would refuse to use them without strictification. Lets teach nullsafe that these guys are non-nullables. See also FN in test case. Reviewed By: ngorogiannis Differential Revision: D19024547 fbshipit-source-id: 8c120fa50
5 years ago
enum SomeEnum {
FIRST_VALUE,
SECOND_VALUE;
public void someMethod() {}
// We currently have no way to distinct that guy from enum value.
// Using it will lead to NPE, but we won't detect it
// This should not occur in practice often, hopefully :)
public static SomeEnum FAKE_VALUE;
}