Clang Error on "Potential null dereference."

I keep getting Clang errors on the following type of code and I can't figure out why they're erroneous or how to resolve them to Clang's satisfaction:

+ (NSString *)checkForLength: (NSString *)theString error: (NSError **)error {
	BOOL hasLength = ([theString length] > 0);
	if (hasLength) return theString;
	else {
        *error = [NSError errorWithDomain:@"ErrorDomain" code:hasLength userInfo:nil];
        return nil;
	}
}

Leaving aside the utterly-contrived nature of the example (which Clang did object to so it's illustrative enough), Clang balks at the error assignment line with the following objection:

> Potential null dereference. According to coding standards in 'Creating and Returning NSError Objects' the parameter 'error' may be null.

I like having a pristine Clang report. I've read the cited document and I can't see a way to do what's expected; I checked some open-source Cocoa libraries and this seems to be a common idiom. Any ideas?

The way to do what's expected is shown in listing 3-5 in that document. With your example code:

+ (NSString *)checkForLength: (NSString *)theString error: (NSError **)error {
    BOOL hasLength = ([theString length] > 0);
    if (hasLength) return theString;
    else {
        if (error != NULL) *error = [NSError errorWithDomain:@"ErrorDomain" code:hasLength userInfo:nil];
        return nil;
    }
}

The Cocoa convention is that the return value should indicate success or failure (in this case, you return nil for failure) and the error is filled in with additional information, but only when the caller requests it.

In other words

NSError *error = nil;
NSString *result = [self checkForLength: aString error: &error];

and

NSString *result = [self checkForLength: aString error: NULL];

are both valid ways to invoke the method. So the method body should always check for a NULL error param:

if (error != NULL)
    *error = ...;