https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111229
Bug ID: 111229 Summary: -fanalyzer confused about conditional operator branch name Product: gcc Version: 13.2.1 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: medhefgo at web dot de Target Milestone: --- In the following test case, the analyzer has the conditional operator's branches confused: It thinks the "true" branch is "false" and vice-versa. $cat test.c char test_true() { char *c, v = 1; if (v) { c = (char *)0; } else { c = "a"; } return *c; } char test_false() { char *c, v = 1; c = v ? (char *)0 : "a"; return *c; } $ gcc -o/dev/null -c test.c -fanalyzer test.c: In function ‘test_true’: test.c:8:10: warning: dereference of NULL ‘c’ [CWE-476] [-Wanalyzer-null-dereference] 8 | return *c; | ^~ ‘test_true’: events 1-4 | | 3 | if (v) { | | ^ | | | | | (1) following ‘true’ branch (when ‘v != 0’)... | 4 | c = (char *)0; | | ~~~~~~~~~~~~~ | | | | | (2) ...to here | | (3) ‘c’ is NULL |...... | 8 | return *c; | | ~~ | | | | | (4) dereference of NULL ‘c’ | test.c: In function ‘test_false’: test.c:13:10: warning: dereference of NULL ‘c’ [CWE-476] [-Wanalyzer-null-dereference] 13 | return *c; | ^~ ‘test_false’: events 1-5 | | 12 | c = v ? (char *)0 : "a"; | | ~~~~~~~~~~~~~~~~~~^~~~~ | | | | | | | (1) following ‘false’ branch (when ‘v != 0’)... | | | (2) ...to here | | | (3) ‘0’ is NULL | | (4) ‘c’ is NULL | 13 | return *c; | | ~~ | | | | | (5) dereference of NULL ‘c’ | https://godbolt.org/z/hTvn9PMb4