[analyzer] Should analyzer report about potential null-dereferencing?

ASDenysPetrov · April 16, 2020, 2:28pm

Next code generates a sink node and a bug report:

int setPtr(const int&);
int* getPtr();
void f(bool is, const int x, const int y)
{
const int *ptr = &x;

if (is) {

ptr = nullptr;

}
setPtr(*ptr);

}

But next code just generates a sink node without a bug report:

int setPtr(const int&);
int* getPtr();

void f(bool is, const int x, const int y)
{
const int *ptr = &x;

if (is) {

ptr = getPtr**()**;

}
setPtr(*ptr);

}

Why does analyzer act like that? Is there any command line option to turn this on?

NoQ · April 17, 2020, 10:04am

Why would the analyzer report potential null in the second example? I honestly don't see anything wrong with this code. There's no indication anywhere that the pointer may be null.

Sink node simply indicates that the execution path is impossible. In this case it indicates that after the analyzer admits that the pointer was dereferenced (in order to proceed with the analysis), it must also admit that the pointer wasn't null to begin with. It's not absolutely necessary to generate an explicit sink node in this case but there's not much harm in that either.

ASDenysPetrov · April 17, 2020, 4:06pm

Artem, thank you for clarification.

So, the answer is - Analyzer should not report about potential null-dereferencing, only just about explicit ones.

ASDenysPetrov · April 17, 2020, 9:14pm

Artem, ok. Thank you for clarification.

So the answer is that analyzer should not report about potential null-dereferencing.

P.S. Something strange happened to my previous letter. Sorry for bothering.