https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101962
Bug ID: 101962 Summary: Analyzer NULL false positive with pointer manipulation Product: gcc Version: 12.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- -fanalyzer emits two warnings on this code: #define NULL ((void *)0) int * func1(int *ptr) { if (!ptr) return NULL; return ++ptr; } int main() { int stack; int *a = &stack; a = func1(a); a = func1(a); return *a; } Compiler Explorer link: https://godbolt.org/z/ohecfvdd8 gcc 11.2 emits: <source>:16:10: warning: dereference of NULL 'a' [CWE-476] [-Wanalyzer-null-dereference] 16 | return *a; | ^~ for the path in which ptr is non-NULL in the first call, and then NULL in the 2nd call, i.e. for which &stack == (NULL) - 1. Whilst this is technically correct, it won't occur in practise and is thus effectively a false positive that we shouldn't warn for. trunk also emits: <source>:16:10: warning: use of uninitialized value '*a' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 16 | return *a; | ^~ for the path in which ptr is non-NULL in both calls, and so we're effectively accessing (&stack)[2], which is a true problem in the software under test, but would be better to report as an out-of-bounds warning (the analyzer doesn't yet do bounds checking). Downstream report: https://bugzilla.redhat.com/show_bug.cgi?id=1995092