Describe nullability heuristics

Author: eholk

docs/code-quality/c6011.md

@@ -64,6 +64,28 @@ void f([Pre(Null=Yes)] char* pc)
 
 The careless use of `malloc` and `free` leads to memory leaks and exceptions. To minimize these kinds of leaks and exception problems altogether, avoid allocating raw memory yourself. Instead, use the mechanisms provided by the C++ Standard Library (STL). These include [`shared_ptr`](../standard-library/shared-ptr-class.md), [`unique_ptr`](../standard-library/unique-ptr-class.md), and [`vector`](../standard-library/vector.md). For more information, see [Smart Pointers](../cpp/smart-pointers-modern-cpp.md) and [C++ Standard Library](../standard-library/cpp-standard-library-reference.md).
 
+## Heuristics
+
+Pointers are assumed to be non-null unless there is some evidence that they might be null.
+In the examples we've seen so far, pointers returned by `malloc` or `new` might be null because allocation might fail.
+Another characteristic that the analysis engine uses as evidence of nullability is if the program explicitly checks for null.
+This is illustrated in the following examples:
+
+```cpp
+void f(int* n)
+{
+  *n = 1; // Does not warn, n is assumed to be non-null
+}
+
+void f(int* n)
+{
+  if (n) {
+    (*n)++;
+  }
+  *n = 1; // Warns because the earlier conditional shows that n might be null
+}
+```
+
 ## See also
 
 - [Using SAL Annotations to reduce code defects](using-sal-annotations-to-reduce-c-cpp-code-defects.md)