Enforce conditional attributes within method bodies

[jcouv]

Fixes the second part of #36039 (enforcing nullability attributes in method bodies) by handling conditional attributes.

My previous PR (#40789) handled unconditional attributes and implemented a simple behavior for conditional attributes (ie. treat them unconditionally and leniently).

Note: the DoesNotReturnIf attribute won't have any enforcement. I don't think we can do that type of analysis.

[jcouv]

Tagging @cston @RikkiGibson since reviewed previous PR.
FYI @sharwell #Resolved

[sharwell]

📝 Need tests for DoesNotReturn calling another DoesNotReturn, e.g.:

[DoesNotReturn]
static void Fail() => Fail("message"); // should not warn

[DoesNotReturn]
static void Fail(string message) => throw null!;
``` #Resolved

[jcouv]

➡️ added test (composes as expected) #Resolved

[sharwell]

Suggested change

	throw null!; // to satisfy [DoesNotReturn]
	throw ExceptionUtilities.Unreachable;

[RikkiGibson]

This might be a good place for #pragma warning disable. In the future when we adopt the newer TFM we should get the [DoesNotReturn] attribute on Environment.FailFast and we can delete the pragma. @JoeRobich don't we have a mechanism to periodically search our sources for disabled warnings and turn them back on?

See https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/src/coreclr/src/System.Private.CoreLib/src/System/Environment.CoreCLR.cs#L52

---

In reply to: 369127571 [](ancestors = 369127571)

[JoeRobich]

@JoeRobich don't we have a mechanism to periodically search our sources for disabled warnings and turn them back on?

@RikkiGibson If we did, I would like to know about it. Find in Files maybe? #Resolved

[sharwell]

I'm not sure I agree with this note. Each of the warnings is code that is at best misleading, and a likely source of annotation errors that could cascade once the attribute checks are fully implemented. #Closed

[RikkiGibson]

Chatted offline with @jcouv and it's feeling like these warnings are good.

---

In reply to: 369130807 [](ancestors = 369130807)

[jcouv]

➡️ removed comment #Resolved

[RikkiGibson]

Are there any behavioral changes from this change? #Closed

[jcouv]

No, this is just extracting the logic so that it can be called from the new checks. #Closed

[RikkiGibson]

Why do we need to look at the returned expression before conversions are applied? #Closed

[jcouv]

If there is a conversion from some custom type to bool, then we can't do the new analysis. We don't know what logic that conversion might contain. We lose track of whenTrue/False branches in conversions, since it's custom logic.

Also imagine if that conversion produced nullability warnings, we'd want to run it through VisitImplicitConversion. #Closed

[RikkiGibson]

It feels like this doc comment is asking the opposite question of what the method is asking (should I assign without a warning, versus should I report) #Closed

[jcouv]

➡️ fixed comment #Closed

[RikkiGibson]

are the parens necessary? #Closed

[jcouv]

➡️ removed #Closed

[RikkiGibson]

sense [](start = 84, length = 5)

It would be good to have a more descriptive name for this parameter. Maybe possibleReturnValue? (not in love with that name either, though..) #Closed

[jcouv]

I don't love it either :-$
The reason I used "sense" is because I've seen it used in other places for such situations (applying some logic either to the true or the false branch). #Closed

[RikkiGibson]

Was this incidental to the change, or a result of the NullableWalker change? #Closed

[jcouv]

Without this, we can't bootstrap. The compiler would complain that buildArgument is null upon exit.
But we know it's not null in this case, because we checked the .Kind above. #Closed

[RikkiGibson]

error [](start = 28, length = 5)

I expected this to be a warning. Did I misinterpret something? #Closed

[jcouv]

Not sure how I messed up the comment. I"ll fix #Closed

[RikkiGibson]

TClass [](start = 10, length = 6)

Consider deleting the TClass from this test. #Closed

[jcouv]

➡️ deleted extraneous type parameter #Closed

[RikkiGibson]

What does the "happy case" for this look like? Perhaps y == null || z == null? Is that test present here? #Closed

[jcouv]

➡️ added test #Closed

[RikkiGibson]

Some more cases I'd like to see coverage for:

• Suppression (am I expected to put ! on the value being assigned? or on the expression being returned?)
• Composition
  • Should be able to use a decorator pattern on methods with equivalent sets of MaybeNullWhen/NotNullWhen attributes
  • Should be able to compose methods with "equivalent" combinations of attributes e.g. a [NotNullWhen(true)] out string? s1 composes with a [MaybeNullWhen(false)] out string s2 #Closed

[jcouv]

In terms of suppression, you can't suppress this new warning directly (except maybe with #nullable disable warnings or explicit diagnostic suppression). You can also put non-null values into the parameters in question, with ! suppressions if needed.

I'll add tests for composition. Could you clarify the decorator scenario you had in mind? #Closed

[jcouv]

➡️ added tests for composition #Resolved

[RikkiGibson]

I was thinking of:

using System.Collections.Generic;

class DictionaryDecorator
{
    readonly Dictionary<string, string> _dict;
    DictionaryDecorator(Dictionary<string, string> dict)
    {
        _dict = dict;
    }

    public bool TryGetValue(string key, [MaybeNullWhen(false)] out string value)
    {
        return _dict.TryGetValue(key, out value);
    }
}

which is not all that different from simple method composition, I'll grant :)

---

In reply to: 369371615 [](ancestors = 369371615)

[RikkiGibson]

Done with review pass (iteration 1)

[cston]

should throw on all code paths [](start = 48, length = 30)

Is the following a valid use of [DoesNotReturn]?

[DoesNotReturn]
static int F()
{
    while (true) { }
}
``` #Closed

[jcouv]

➡️ added test (no warning on above method) #Closed

[cston]

Sorry, I wasn't clear. I meant a method marked [DoesNotReturn] does not need to throw on all code paths. Perhaps the message should be "A method marked [DoesNotReturn] should not return."

---

In reply to: 369386905 [](ancestors = 369386905)

[cston]

WRN_MethodShouldThrow [](start = 8, length = 21)

Perhaps WRN_ShouldNotReturn. #Closed

[jcouv]

➡️ done #Resolved

[cston]

methodMainNode.Syntax.GetLastToken().GetLocation() [](start = 33, length = 50)

Consider passing in the method syntax instead rather than calling GetLocation() eagerly. #Closed

[jcouv]

I don't think I could do that, because the check on end of method uses the last token of the syntax, instead of a SyntaxNode #Resolved

[cston]

I don't follow. Couldn't the method be defined as:

void EnforceDoesNotReturn(SyntaxNode syntax)
{
    ...
    ReportDiagnostic(ErrorCode.WRN_ShouldNotReturn,
        syntax.GetLastToken().GetLocation());
}

---
In reply to: [369381283](https://github.com/dotnet/roslyn/pull/41098#discussion_r369381283) [](ancestors = 369381283)

[cston]

private [](start = 8, length = 7)

static #Closed

[jcouv]

➡️ done #Resolved

[cston]

The caller could check this. #Closed

[jcouv]

➡️ makes sense. Done #Resolved

[cston]

"??" [](start = 58, length = 4)

Will this be confused for two consecutive slots each MaybeNull? #Closed

[jcouv]

It wasn't confusing because we print variable names and annotations. So it shows x?y??z! for example #Resolved

[RikkiGibson]

It would be handy to have // 1, // 2 comments in this test #Closed

[RikkiGibson]

Do we get an analogous warning behavior when a method equivalent to TryGetValue3 calls TryGetValue2? #Closed

[RikkiGibson]

Is DoesNotReturn supported on property/event accessors? Do we have analogous tests for those scenarios? #Closed

[jcouv]

That is not supported. The attribute has [AttributeUsage(AttributeTargets.Method, AllowMultiple = false)]
`

---

In reply to: 369755491 [](ancestors = 369755491)

[RikkiGibson]

Done with review pass (iteration 2)

[jcouv]

@RikkiGibson @cston Please take another look when you get the chance. Thanks #Resolved

[RikkiGibson]

I can't find tests which demonstrate the expected behavior around composition like the following:

bool TryGetValue1(string key, [MaybeNullWhen(false)] out string value) => TryGetValue2(key, out value);
bool TryGetValue2(string key, [NotNullWhen(true)] out string? value) => TryGetValue1(key, out value);
``` #Closed

[jcouv]

Added. Thanks

---

In reply to: 369852520 [](ancestors = 369852520)

[RikkiGibson]

[RikkiGibson]

This is a really cool bit of functionality. Thanks for doing this work. #Resolved

[jcouv]

@RikkiGibson Haha, thanks. This PR reminds me of an earlier one that made ‘Debug.Assert(!string.IsNullOrEmpty(x))’ work. It’s nice when things fall nicely together ;) #Resolved

[cston]

Can this be simplified to expr.Kind != BoundKind.Conversion? At that point, it can be inlined. #Closed

[jcouv]

I worried that we might generate identity conversions.

---

In reply to: 370273577 [](ancestors = 370273577)

[jcouv]

Thanks. This check was unnecessary after all. Removed.

---

In reply to: 370294344 [](ancestors = 370294344,370273577)

[cston]

continue; [](start = 24, length = 9)

Unnecessary. #Closed

[cston]

        return true;

Are we testing s = null; return true;? #Closed

---

Refers to: src/Compilers/CSharp/Test/Semantic/Semantics/NullableReferenceTypesTests.cs:20739 in 59b3c0e. [](commit_id = 59b3c0e, deletion_comment = False)

[cston]

isUnconvertedBooleanExpression(expr) [](start = 20, length = 36)

Are we testing this case? (If this check is removed, would tests fail?) #Pending

[cston]

} [](start = 8, length = 1)

Please test:

static bool TryGetValue([MaybeNullWhen(false)]out string s)
{
    s = null;
    return (bool)true;
}

It doesn't necessarily need to warn but we should test the behavior.

[jcouv]

Added the test
The cast ruins the conditional analysis (ie. no warning on return (bool)true; nor return (bool)false;.