Preserve narrowing for const-qualified pointer types

cs01 · cs01 · commit ac90a8543c0a · 2025-12-03T10:41:24.000-08:00
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -5,9 +5,18 @@ Development branch: `null-safe-c-dev`
 ## Building
 
 ### Standard (x86)
+
+**Clang only:**
 ```bash
 mkdir build && cd build
 cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_PROJECTS="clang" ../llvm
+ninja clang
+```
+
+**Clang + clangd (language server):**
+```bash
+mkdir build && cd build
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_PROJECTS="clang;clang-tools-extra" ../llvm
 ninja clang clangd
 ```
 
@@ -36,7 +45,9 @@ ninja clang
 
 ## Testing
 ```bash
-build/bin/llvm-lit -v clang/test/Sema/strict-nullability.c
+cd build
+ninja FileCheck count not split-file llvm-config
+./bin/llvm-lit -v ../clang/test/Sema/strict-nullability.c
 ```
 
 ## Releases
diff --git a/README.md b/README.md
@@ -2,45 +2,53 @@
 
 [![Test Null-Safety](https://github.com/cs01/llvm-project/actions/workflows/test-null-safety.yml/badge.svg)](https://github.com/cs01/llvm-project/actions/workflows/test-null-safety.yml)
 
-Nullsafe C adds NULL checks to catch errors at compile-time, not runtime. It is 100% compatible with existing C codebases and can be used incrementally to identify safety issues at compile-time.
+Nullsafe C adds NULL checks to catch errors at compile-time. It is 100% compatible with existing C codebases and can be used incrementally to identify safety issues at compile-time. 
 
-You can annotate your code with `_Nonnull` to presere narrowing.
+This provides the following benefits:
+* This makes the code safer by reducing the number of potential runtime null dereferences
+* Improves developer experience by shifting errors left
+* Makes the code more readable
+* Adds type errors that other more modern languages have (Rust, TypeScript, Kotlin)
 
 **Try it online:** [Interactive Playground](https://cs01.github.io/llvm-project/) - See null-safety warnings in real-time in your browser!
 
-It does this by making two changes:
-1. All pointers are nullable by default, unless explicitly marked `_Nonnull`. Clang already allows the code to be annotated with `_Nullable` and `_Nonnull`, but this compiler treats all unmarked pointers as nullable by default.
-2. The compiler tracks when you've null-checked a pointer and knows it's safe to use. When you write `if (p)`, the type system understands `p` is non-null in that branch.
+Nullsafe C treats all pointers as potentially null ('nullable') unless it is certain they are not. It does this in two ways. 
 
-## Example
+The first is by semantic analysis: if you test a pointer with `if(p)`, then it knows that branch contains a non-null pointer.
+
+The second is by using Clang's [`Nullability`](https://clang.llvm.org/docs/AttributeReference.html#nullability-attributes) attributes, in particular `_Nonnull`. If a pointer is marked as `_Nonnull` the compiler will require a pointer it knows it not null is passed to it. This can be done either by passing a `_Nonnull`-annotated pointer, or by doing type narrowing. 
+
+If using a compiler other than clang, you can add `#define _Nonnull` as a no-op. You will not get the same compile checks as with Nullsafe C (clang fork), but the compillation will still succeed without error.
+
+## Examples
 
 ```c
 void unsafe(int *data) {
-  *data = 42; // warning - data might be null!
+  *data = 42; // warning: dereferencing nullable pointer of type 'int * _Nullable'
 }
+```
+[Try it in the interactive playground](https://cs01.github.io/llvm-project/?code=dm9pZCB1bnNhZmUoaW50ICpkYXRhKSB7CiAgKmRhdGEgPSA0MjsgLy8gd2FybmluZzogZGVyZWZlcmVuY2luZyBudWxsYWJsZSBwb2ludGVyIG9mIHR5cGUgJ2ludCAqIF9OdWxsYWJsZScKfQ%3D%3D)
 
+Type narrowing:
+```c
 void safe(int *data) {
   if (data) {
     *data = 42; // OK - data is non-null here
   }
 }
+```
+[Try it in the interactive playground](https://cs01.github.io/llvm-project/?code=dm9pZCBzYWZlKGludCAqZGF0YSkgewogIGlmIChkYXRhKSB7CiAgICAqZGF0YSA9IDQyOyAvLyBPSyAtIGRhdGEgaXMgbm9uLW51bGwgaGVyZQogIH0KfQ%3D%3D)
 
+Anontated with `_Nonnull`:
+```c
 void safe_typed(int *_Nonnull data) {
-  *data = 42; // OK - data is known to be non-null by the compiler
+  *data = 42; // OK - we know data is not null so we can derefernce it
 }
-
 ```
-Try it out in the [Interactive Playground](https://cs01.github.io/llvm-project/).
-
-## Installation
+[Try it in the interactive playground](https://cs01.github.io/llvm-project/?code=dm9pZCBzYWZlX3R5cGVkKGludCAqX05vbm51bGwgZGF0YSkgewogICpkYXRhID0gNDI7IC8vIE9LIC0gd2Uga25vdyBkYXRhIGlzIG5vdCBudWxsIHNvIHdlIGNhbiBkZXJlZmVybmNlIGl0Cn0%3D)
 
-### Prerequisites
 
-**macOS:**
-```bash
-brew install zstd
-xcode-select --install  # If not already installed
-```
+## Installation
 
 ### Quick Install
 
@@ -50,6 +58,12 @@ curl -fsSL https://raw.githubusercontent.com/cs01/llvm-project/null-safe-c-dev/i
 
 Or download manually from [releases](https://github.com/cs01/llvm-project/releases).
 
+On mac you may need to do the following:
+```bash
+brew install zstd
+xcode-select --install  # If not already installed
+```
+
 ### Windows
 
 Builds not available at this time, you must clone and build locally.
@@ -62,7 +76,7 @@ Each release includes:
 
 ### IDE Integration
 
-Once installed, configure your editor to use the null-safe `clangd`:
+Once installed, configure your editor to use the null-safe `clangd`. Install the `clangd` extension from llvm and set the path to the clangd binary you just downloaded.
 
 **VSCode:**
 ```json
diff --git a/clang/lib/Sema/Sema.cpp b/clang/lib/Sema/Sema.cpp
@@ -1051,16 +1051,33 @@ void Sema::HandleAssertNarrowing(FunctionDecl *FDecl, CallExpr *TheCall) {
   }
 }
 
-// strict-nullability: Invalidate all narrowing in the current scope
 void Sema::InvalidateNarrowingInCurrentScope() {
   if (NullabilityNarrowingScopes.empty())
     return;
 
-  // Clear ALL narrowing in all scopes, not just the current one.
-  // This is conservative: function calls can have arbitrary side effects through
-  // global state, so we can't trust any narrowing after a function call.
   for (auto &Scope : NullabilityNarrowingScopes) {
-    Scope.clear();
+    llvm::SmallVector<const VarDecl*, 8> ToRemove;
+
+    for (const auto &Entry : Scope) {
+      const VarDecl *VD = Entry.first;
+      QualType VarType = VD->getType();
+
+      bool PreserveNarrowing = false;
+      if (const PointerType *PT = VarType->getAs<PointerType>()) {
+        QualType PointeeType = PT->getPointeeType();
+        if (PointeeType.isConstQualified()) {
+          PreserveNarrowing = true;
+        }
+      }
+
+      if (!PreserveNarrowing) {
+        ToRemove.push_back(VD);
+      }
+    }
+
+    for (const VarDecl *VD : ToRemove) {
+      Scope.erase(VD);
+    }
   }
 }
 
diff --git a/clang/test/Sema/strict-nullability-invalidation.c b/clang/test/Sema/strict-nullability-invalidation.c
@@ -47,3 +47,18 @@ void test_no_invalidation_without_calls(int* p) {
     }
 }
 
+int is_valid(const char c);
+
+void test_const_param_preserves_narrowing(const char* data) {
+    if (!data) return;
+    const int isvalid = is_valid(*data);
+    char val = *data;  // OK - narrowing preserved by const parameter
+}
+
+void test_const_param_multiple_calls(const int* value) {
+    if (!value) return;
+    int copy1 = *value;  // OK
+    is_valid((char)*value);
+    int copy2 = *value;  // OK - narrowing preserved, parameter is const
+}
+
