Enforce unconditional attributes within method bodies

[jcouv]

Addresses part of #36039
MaybeNullWhen and NotNullWhen are treated unconditionally to produce fewer warnings.
DoesNotReturn and DoesNotReturnIf are not yet enforced.
OHI will come later.

Fixes #40139 ([DisallowNull] T parameter has not-null initial value)
Fixes #39922

Relates to discussion in LDM on Jan 6th 2020.

[jcouv]

📝 removed empty method #Resolved

[jcouv]

@dotnet/roslyn-compiler @cston for review. Thanks

I'll add a note to breaking changes. #Closed

[cston]

internal [](start = 8, length = 8)

Is this change needed? #Closed

[cston]

type is null [](start = 23, length = 12)

When do we hit this, and is it necessary to report a warning in that case? #Resolved

[cston]

private static #Closed

[cston]

output to a target marked with [](start = 109, length = 30)

Is this qualifier necessary? Do we need to differentiate "assigned to" and "output to", or can we find one phrase that captures both?

How about: "A possible null value may not be used for a type marked with [NotNull] or [DisallowNull]"? #Closed

[cston]

It's not clear we're that the attributes affect the property bodies since there are no warnings. Should the assignments be changed to = null' to at least test two of the four? #Closed

[sharwell]

💡 The previous test has good coverage of these, so a starting point could model after it. #Resolved

[cston]

Nont [](start = 20, length = 4)

Typo #Closed

[sharwell]

📝 Should have a test showing that x = default is allowed within a method like this. #Closed

[jcouv]

@sharwell I disagree with this one. x = default is disallowed (ie. a warning) in absence of [DisallowNull], so should still be disallowed. #Closed

[sharwell]

That makes sense to me. Consider adding a line showing this diagnostic is reported for the case. #Resolved

[jcouv]

I think that case is already covered. See DefaultLiteralInConditional #Resolved

[sharwell]

💡 The previous test has good coverage of these, so a starting point could model after it. #Resolved

[sharwell]

😟 This makes sense if you have { get; }, but I don't see why this would be a warning if the property has a setter and has [AllowNull], especially since it uses the suppression in default!. #Closed

[jcouv]

We analyze a body that says return backingField;. But that backing field is a TOpen and lacks attribute annotations. So we warn.
I'll take a look to see if we can refine that. #Closed

[jcouv]

I find out that some warnings involving backing fields and other compiler-generated values were suppressed. I removed that, which not only keeps this warning on P1, but also adds a warning on P3.
@sharwell @cston Let me know what you think about those. In my opinion, those are bad usages of the attributes, and so I think it's actually desirable to warn. #Resolved

[sharwell]

Both cases can be resolved (in user code) by removing the unnecessary initializing expression. If users find this confusing, we can iterate on it. #Resolved

[jcouv]

From discussion with @cston I'm going to restore the logic to skip analyzing bodies of auto-prop getters and setters. We'll lose some warning about misused attributes, but that's okay.

One reason is that there is a scenario where that would produce an unwanted warning: [MaybeNull, AllowNull] T { get; set; } which the user can't fix. #Resolved

[sharwell]

💡 It would be good to have a test showing that the value can be assigned in a constructor to eliminate the warning (may already exist as a test). #Resolved

[sharwell]

❔ I didn't see a test that used the following in a constructor:

P5 = new TStruct();

Unlike the newly-added NotNull_Property_InitializedInConstructor cases, I would expect the above to not produce a warning and resolve the warning reported on the property definition in the two tests here. #Pending

[jcouv]

📝 not sure if we can hit this. Just included for safety. #Resolved

[cston]

// We need to skip return backingField; in auto-prop getters [](start = 16, length = 62)

Can we simply avoid running NullableWalker on auto-property accessors? #Resolved

[jcouv]

We could, but I'd prefer to contain the scope of this PR given timeline.
Also, even if we skip auto-prop accessors, we'll still need some logic to skip compiler-generated nodes because of field = initializerValue; that is injected to constructor body and analyzed.

---

In reply to: 367228167 [](ancestors = 367228167)

[cston]

Please consider logging a bug to skip auto-property accessors.

---

In reply to: 367632535 [](ancestors = 367632535,367228167)

[jcouv]

Filed #41017 #Resolved

[cston]

boundValueOpt is object && boundValueOpt.WasCompilerGenerated [](start = 16, length = 61)

Consider using ?. #Resolved

[jcouv]

@dotnet/roslyn-compiler for a second review please.
Thanks @cston! #Resolved

[RikkiGibson]

Consider naming CheckDisallowNullAssignment to more strongly denote that this is about DisallowNullAttribute #Resolved

[jcouv]

I think that "check disallowed null assignment" rings better as an action. I'll keep as-is

---

In reply to: 368161189 [](ancestors = 368161189)

[RikkiGibson]

ToInwardAnnotations [](start = 47, length = 19)

Consider naming ToInboundAnnotations to resemble similar terminology used in VisitArguments

[RikkiGibson]

Style between this and the above if feels inconsistent #Closed

[jcouv]

Yes, that's on purpose. MaybeNull is two bits, either of which should count (see comment above).
NotNull is also two bits, but we are lenient (we ignore NotNullWhenTrue and NotNullWhenFalse on their own here).

---

In reply to: 368161275 [](ancestors = 368161275)

[jcouv]

I'll add a comment

---

In reply to: 368183067 [](ancestors = 368183067,368161275)

[RikkiGibson]

T x [](start = 55, length = 3)

I think this is maybe innate to the problem, but it feels odd to have a different message here depending on whether AllowNull was used. In F5, T is "definitely maybe null", but in FA, T is "possibly maybe null". #WontFix

[jcouv]

We could have the new check (from CheckDisallowedNullAssignment) report the same diagnostic as the regular checks that VisitConversion can report. But since we have more context/information here, I figured out that some hint would be helpful, when possible. But it is a bit inconsistent, I agree.

---

In reply to: 368176797 [](ancestors = 368176797)

[RikkiGibson]

static void F2<T>(   [AllowNull]T x,    [AllowNull]out T y) { y = x; } // 2

It feels like AllowNull/DisallowNull on out parameters is something that could never be what the user intended. Related to #36073 #Resolved

---

Refers to: src/Compilers/CSharp/Test/Semantic/Semantics/NullableReferenceTypesTests.cs:119870 in 501855b. [](commit_id = 501855b, deletion_comment = True)

[RikkiGibson]

static void F8<T>(              T x, [DisallowNull]T y) { y = x; }

It feels like if assigning maybe-null to a [NotNull]T parameter gives a warning, assigning maybe-null to a [DisallowNull]T parameter inside the method should give a warning. #WontFix

---

Refers to: src/Compilers/CSharp/Test/Semantic/Semantics/NullableReferenceTypesTests.cs:119847 in 501855b. [](commit_id = 501855b, deletion_comment = True)

[RikkiGibson]

static void FA<T>(              T x,      [NotNull]T y) { y = x; }

Also consider a // 1 comment here.

---

Refers to: src/Compilers/CSharp/Test/Semantic/Semantics/NullableReferenceTypesTests.cs:120557 in 501855b. [](commit_id = 501855b, deletion_comment = False)

[RikkiGibson]

[return: NotNull] public override T F1<T>(T t) => t;

Consider adding a // 1 comment here #Resolved

---

Refers to: src/Compilers/CSharp/Test/Semantic/Semantics/NullableReferenceTypesTests.cs:33885 in 501855b. [](commit_id = 501855b, deletion_comment = False)

[RikkiGibson]

Is this just additional coverage, or did your change affect behavior of these scenarios? It doesn't seem like enforcing unconditional attributes inside the members using the attributes affects this? #Resolved

[jcouv]

For a while, this PR include analyzing the body of the auto-prop accessors. So those tests were useful.
Since I added the tests, I'd rather keep them even though they are less useful now :-)

---

In reply to: 368177028 [](ancestors = 368177028)

[RikkiGibson]

// [](start = 59, length = 2)

Was typing // -1 a bridge too far? :) #Resolved

[jcouv]

I could not bring myself to do it :-P

---

In reply to: 368177057 [](ancestors = 368177057)

[RikkiGibson]

nit: Consider updating the diagnosic message in this comment. I had started to comment about how this message could be better but it turned out you already changed it for the better :)

[RikkiGibson]

[jcouv]

static void F2<T>(   [AllowNull]T x,    [AllowNull]out T y) { y = x; } // 2

Per our discussion and spec, NotNull is definitely useful on inputs.
I can't think of a scenario where AllowNull or DisallowNull would be useful on an output. But I don't want to produce individual warnings for those situations until we've decided that we want to warn on misused attributes as a whole (there are many more cases that could warrant a warning).

---

In reply to: 575833532 [](ancestors = 575833532)

---

Refers to: src/Compilers/CSharp/Test/Semantic/Semantics/NullableReferenceTypesTests.cs:119870 in 501855b. [](commit_id = 501855b, deletion_comment = True)

[jcouv]

FYI @cston, I took Rikki's suggestion so that void M([DisallowNull]T x) { x = null; } now produces a warning and void M([AllowNull]string x) { x = null; } no longer does.

[jcouv]

FYI @cston, I took Rikki's suggestion so that void M([DisallowNull]T x) { x = null; } now produces a warning and void M([AllowNull]string x) { x = null; } no longer does.

Never mind, that won't work because of void M([DisallowNull] ref T x) { x = null; } scenario. I'll revert.