https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105783
Bug ID: 105783
Summary: -Wanalyzer-null-dereference false positive with union
and functions
Product: gcc
Version: 12.1.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: kamilcukrowski at gmail dot com
Target Milestone: ---
> the exact version of GCC; the system type; the options given when GCC was
> configured/built;
```
$ gcc --version
gcc (GCC) 12.1.0
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ cat /etc/arch-release
Arch Linux release
$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/12.1.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc/src/gcc/configure
--enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-bootstrap
--prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/
--with-linker-hash-style=gnu --with-system-zlib --enable-__cxa_atexit
--enable-cet=auto --enable-checking=release --enable-clocale=gnu
--enable-default-pie --enable-default-ssp --enable-gnu-indirect-function
--enable-gnu-unique-object --enable-linker-build-id --enable-lto
--enable-multilib --enable-plugin --enable-shared --enable-threads=posix
--disable-libssp --disable-libstdcxx-pch --disable-werror
--with-build-config=bootstrap-lto --enable-link-serialization=1
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.1.0 (GCC)
```
> the complete command line that triggers the bug ; the compiler output (error
> messages, warnings, etc.);
I have the following MCVE:
```
struct ss_s {
union out_or_counting_u {
char *newstr;
unsigned long long cnt;
} uu;
_Bool counting;
};
struct ss_s ss_init(void) {
struct ss_s rr = { .counting = 1 };
return rr;
}
void ss_out(struct ss_s *t, char cc) {
if (!t->counting) {
*t->uu.newstr++ = cc;
}
}
int main() {
struct ss_s ss = ss_init();
ss_out(&ss, 'a');
}
```
Compiling with gcc12.1 with `-fanalyzer -O` results in
https://godbolt.org/z/K84Pr1zcx :
```
<source>: In function 'ss_out':
<source>:16:33: warning: dereference of NULL '0' [CWE-476]
[-Wanalyzer-null-dereference]
16 | *t->uu.newstr++ = cc;
| ~~~~~~~~~~~~~~~~^~~~
'main': events 1-2
|
| 20 | int main() {
| | ^~~~
| | |
| | (1) entry to 'main'
| 21 | struct ss_s ss = ss_init();
| 22 | ss_out(&ss, 'a');
| | ~~~~~~~~~~~~~~~~
| | |
| | (2) calling 'ss_out' from 'main'
|
+--> 'ss_out': events 3-7
|
| 14 | void ss_out(struct ss_s *t, char cc) {
| | ^~~~~~
| | |
| | (3) entry to 'ss_out'
| 15 | if (!t->counting) {
| | ~
| | |
| | (4) following 'false' branch...
| 16 | *t->uu.newstr++ = cc;
| | ~~~~~~~~~~~~~~~~~~~~
| | | | |
| | | | (7) dereference of NULL
'*t.uu.newstr'
| | | (6) '0' is NULL
| | (5) ...to here
|
```
It will not be null, because `t->counting` is true. Gcc seems to take wrong
branch on line 15 `if (t->counting) {` inside `ss_out`. I feel like changing
random things makes the problem go away, like changing `counting` from `bool`
to `int` or changing `count` from `size_t` to `unsigned`.
Thanks for amazing gcc!
