https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101962
Bug ID: 101962
Summary: Analyzer NULL false positive with pointer manipulation
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
-fanalyzer emits two warnings on this code:
#define NULL ((void *)0)
int *
func1(int *ptr) {
if (!ptr)
return NULL;
return ++ptr;
}
int
main() {
int stack;
int *a = &stack;
a = func1(a);
a = func1(a);
return *a;
}
Compiler Explorer link: https://godbolt.org/z/ohecfvdd8
gcc 11.2 emits:
<source>:16:10: warning: dereference of NULL 'a' [CWE-476]
[-Wanalyzer-null-dereference]
16 | return *a;
| ^~
for the path in which ptr is non-NULL in the first call, and then NULL in the
2nd call, i.e. for which &stack == (NULL) - 1.
Whilst this is technically correct, it won't occur in practise and is thus
effectively a false positive that we shouldn't warn for.
trunk also emits:
<source>:16:10: warning: use of uninitialized value '*a' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
16 | return *a;
| ^~
for the path in which ptr is non-NULL in both calls, and so we're effectively
accessing (&stack)[2], which is a true problem in the software under test, but
would be better to report as an out-of-bounds warning (the analyzer doesn't yet
do bounds checking).
Downstream report: https://bugzilla.redhat.com/show_bug.cgi?id=1995092
