https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105783
Bug ID: 105783 Summary: -Wanalyzer-null-dereference false positive with union and functions Product: gcc Version: 12.1.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: kamilcukrowski at gmail dot com Target Milestone: --- > the exact version of GCC; the system type; the options given when GCC was > configured/built; ``` $ gcc --version gcc (GCC) 12.1.0 Copyright (C) 2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. $ cat /etc/arch-release Arch Linux release $ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/12.1.0/lto-wrapper Target: x86_64-pc-linux-gnu Configured with: /build/gcc/src/gcc/configure --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-bootstrap --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/ --with-linker-hash-style=gnu --with-system-zlib --enable-__cxa_atexit --enable-cet=auto --enable-checking=release --enable-clocale=gnu --enable-default-pie --enable-default-ssp --enable-gnu-indirect-function --enable-gnu-unique-object --enable-linker-build-id --enable-lto --enable-multilib --enable-plugin --enable-shared --enable-threads=posix --disable-libssp --disable-libstdcxx-pch --disable-werror --with-build-config=bootstrap-lto --enable-link-serialization=1 Thread model: posix Supported LTO compression algorithms: zlib zstd gcc version 12.1.0 (GCC) ``` > the complete command line that triggers the bug ; the compiler output (error > messages, warnings, etc.); I have the following MCVE: ``` struct ss_s { union out_or_counting_u { char *newstr; unsigned long long cnt; } uu; _Bool counting; }; struct ss_s ss_init(void) { struct ss_s rr = { .counting = 1 }; return rr; } void ss_out(struct ss_s *t, char cc) { if (!t->counting) { *t->uu.newstr++ = cc; } } int main() { struct ss_s ss = ss_init(); ss_out(&ss, 'a'); } ``` Compiling with gcc12.1 with `-fanalyzer -O` results in https://godbolt.org/z/K84Pr1zcx : ``` <source>: In function 'ss_out': <source>:16:33: warning: dereference of NULL '0' [CWE-476] [-Wanalyzer-null-dereference] 16 | *t->uu.newstr++ = cc; | ~~~~~~~~~~~~~~~~^~~~ 'main': events 1-2 | | 20 | int main() { | | ^~~~ | | | | | (1) entry to 'main' | 21 | struct ss_s ss = ss_init(); | 22 | ss_out(&ss, 'a'); | | ~~~~~~~~~~~~~~~~ | | | | | (2) calling 'ss_out' from 'main' | +--> 'ss_out': events 3-7 | | 14 | void ss_out(struct ss_s *t, char cc) { | | ^~~~~~ | | | | | (3) entry to 'ss_out' | 15 | if (!t->counting) { | | ~ | | | | | (4) following 'false' branch... | 16 | *t->uu.newstr++ = cc; | | ~~~~~~~~~~~~~~~~~~~~ | | | | | | | | | (7) dereference of NULL '*t.uu.newstr' | | | (6) '0' is NULL | | (5) ...to here | ``` It will not be null, because `t->counting` is true. Gcc seems to take wrong branch on line 15 `if (t->counting) {` inside `ss_out`. I feel like changing random things makes the problem go away, like changing `counting` from `bool` to `int` or changing `count` from `size_t` to `unsigned`. Thanks for amazing gcc!