https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105958
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> --- A particularly bad example seems to be gcc.dg/analyzer/null-deref-pr108830.c: https://godbolt.org/z/rabfxeaxz which currently emits: <source>: In function 'apr_hash_merge': <source>:82:24: warning: dereference of NULL 'new_vals' [CWE-476] [-Wanalyzer-null-dereference] 82 | new_vals[j].klen = iter->klen; /* { dg-warning "dereference of NULL 'new_vals'" } */ | ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~ 'apr_hash_merge': event 1 | | 57 | apr_hash_entry_t* new_vals = NULL; | | ^~~~~~~~ | | | | | (1) 'new_vals' is NULL | 'apr_hash_merge': event 2 | | 62 | res->free = NULL; | | ^ | | | | | (2) 'new_vals' is NULL | 'apr_hash_merge': event 3 | | 62 | res->free = NULL; | | ^ | | | | | (3) 'new_vals' is NULL | 'apr_hash_merge': events 4-17 | | 62 | res->free = NULL; | | ^ | | | | | (4) 'new_vals' is NULL |...... | 71 | if (base->count + overlay->count) { | | ~ | | | | | (5) following 'false' branch... |...... | 75 | j = 0; | | ~~~~~ | | | | | (6) ...to here | 76 | for (k = 0; k <= base->max; k++) { | | ~~~~~~~~~~~~~~ | | | | | (7) following 'true' branch... | 77 | for (iter = base->array[k]; iter; iter = iter->next) { | | ~~~~~~~~~~~ ~~~~ | | | | | | | (9) following 'true' branch (when 'iter' is non-NULL)... | | (8) ...to here | 78 | i = iter->hash & res->max; | | ~~~~~~~~~~ | | | | | (10) ...to here |...... | 82 | new_vals[j].klen = iter->klen; /* { dg-warning "dereference of NULL 'new_vals'" } */ | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (17) dereference of NULL 'new_vals + (long unsigned int)j * 40' | | (11) 'new_vals' is NULL | 83 | /* ...but not for subsequent ones: */ | 84 | new_vals[j].key = iter->key; /* { dg-bogus "dereference of NULL 'new_vals'" "PR analyzer/108830" } */ | | ~ | | | | | (12) 'new_vals' is NULL | 85 | new_vals[j].val = iter->val; /* { dg-bogus "dereference of NULL 'new_vals'" "PR analyzer/108830" } */ | | ~ | | | | | (13) 'new_vals' is NULL | 86 | new_vals[j].hash = iter->hash; /* { dg-bogus "dereference of NULL 'new_vals'" "PR analyzer/108830" } */ | | ~ | | | | | (14) 'new_vals' is NULL | 87 | new_vals[j].next = res->array[i]; /* { dg-bogus "dereference of NULL 'new_vals'" "PR analyzer/108830" } */ | | ~ | | | | | (15) 'new_vals' is NULL | 88 | res->array[i] = &new_vals[j]; /* { dg-bogus "dereference of NULL 'new_vals'" "PR analyzer/108830" } */ | | ~~~~~~~~~~~~ | | | | | (16) 'new_vals' is NULL | ...where events 2-4 and 12-16 seem to be noise.
