JSpecify: Handle @Nonnull elements in @Nullable content arrays

[armughan11]

Handles unexpected error cases in JSpecify mode where an index is asserted @Nonnull (fizz[x]!=null) but the array elements itself could be null (@Nullable String [] fizz).

Example

@Nullable String [] fizz ={"1"}
if (fizz[i] != null) {
    fizz[i].toString();
}

Current Behavior
This throws an error due to dereference of fizz[i]

New Behavior
There should be no error here unless it's outside the block. So only the latter dereference throws up an error in the below case.

@Nullable String [] fizz ={"1"}

if (fizz[i] != null) {
    fizz[i].toString();
}
fizz[i].toString();

[armughan11]

@msridhar

[msridhar]

Why is this @Nullable? Also, we shouldn't always use a String here. We want to use something like an Element for a local variable I think.

[codecov]

Codecov Report

Attention: Patch coverage is 86.25000% with 11 lines in your changes missing coverage. Please review.

Project coverage is 85.90%. Comparing base (a4ce249) to head (5df5697).

Files	Patch %	Lines
.../com/uber/nullaway/dataflow/ArrayIndexElement.java	56.25%	4 Missing and 3 partials ⚠️
...er/nullaway/dataflow/FieldOrMethodCallElement.java	78.94%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master     #963      +/-   ##
============================================
+ Coverage     85.88%   85.90%   +0.02%     
- Complexity     2051     2067      +16     
============================================
  Files            82       83       +1     
  Lines          6806     6859      +53     
  Branches       1312     1323      +11     
============================================
+ Hits           5845     5892      +47     
- Misses          547      550       +3     
- Partials        414      417       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[msridhar]

Looking great! I have some comments

[msridhar]

Needs Javadoc

[msridhar]

I think toString(), equals(), and hashCode() do not need to be declared here

[msridhar]

Needs Javadoc

[msridhar]

Needs Javadoc (you can take it from the previous docs for AccessPathElement)

[msridhar]

Rather than having two @Nullable fields here to represent the cases, I'd prefer a single field of type Object named index for simplicity and efficiency. The API can still be type safe (i.e., you can only pass in an Integer or an Element); the fact that the same field is used internally would be a private implementation detail. You can document the expectations in a comment.

[msridhar]

Allowing the array itself to be the result of a method invocation is a bit more risky. Let's remove this case, and handle it later if we decide we need it

[msridhar]

Why not strip the casts right at line 415?

[msridhar]

Let's not use defaultAssumption here; it's a bit confusing. Instead, add an explicit else at line 814 and set resultNullness to Nullness.NONNULL when we are not in JSpecify mode

[msridhar]

Just get rid of the initializer expression here:

Suggested change

	Nullness resultNullness = defaultAssumption;
	Nullness resultNullness;

[msridhar]

👍

[msridhar]

We should add tests for the following cases:

• Array expression is unhandled, like a method invocation (m()[i])
• Array index is unhandled (m[i()])
• Different index in conditional and deference (if (m[i] != null) { m[i+1].hashCode(); } should yield an error)

[msridhar]

Just get rid of the initializer expression here:

Suggested change

	Nullness resultNullness = defaultAssumption;
	Nullness resultNullness;

[msridhar]

This annotation should not be needed

[armughan11]

Fixed

[msridhar]

We can have the field be of Object object, but we should have two separate constructors, one for integer literals and one for variables / fields, each taking the appropriate type. We shouldn't allow for passing in an arbitrary Object as the index. Alternately (and perhaps better), make the constructor private, and then write two static methods, one for each case, with appropriate names (like makeWithIntegerIndex)

[armughan11]

Fixed

[627721565]

您好，邮件已经收到，查阅后会尽快给您回复！

[msridhar]

Hrm, I thought this case would be handled? What exact cases do we allow for index expressions again?

[armughan11]

Ah my bad, this should work fine for primitives. Updated this and method invocation case accordingly.

[msridhar]

I realized this change might have a deeper impact than we were expecting. Right now, the creation of access path elements for array accesses is not gated on the flag for JSpecify mode, and passing the NullAway config into all relevant methods to do that would be kind of painful. But, I believe this means that code like this will pass NullAway now, when it didn't before this change:

if (arr[i].f != null) {
  arr[i].f.toString();
}

@armughan11 can you write a test to confirm this?

@lazaroclapp do you see any high-level issues with not reporting warnings for code like the above? It seems to be keeping in the spirit of NullAway, but it does potentially introduce new vectors of unsoundness, e.g.:

if (arr[i].f != null) {
  arr[j] = null; // overwrites a[i] if i == j
  arr[i].f.toString(); // still no warning from NullAway
}

Most programs don't code too much directly with arrays, but I wonder if we should do some more performance and sanity testing before landing this.

[armughan11]

Just added the test and you're correct @msridhar. The test you mentioned works fine right now, but throws an error without our changes.

[msridhar]

Benchmarking didn't detect any perf regressions, and I rebuilt an internal code base with this change and didn't see any new errors or crashes.

I'm still hoping @lazaroclapp can give his feedback before we land this one.

[msridhar]

Gonna go ahead and merge this; I think we can address any concerns in follow-up PRs