I was experimenting with -fanalyzer on gcc 10, and managed to get a null-pointer dereference reported in std::vector. But I'm not sure if my code has some mistake?
#include <vector>
class Bar
{
public:
explicit Bar()
{
}
int m_val;
};
int main()
{
std::vector<Bar> a;
std::vector<Bar> b(a);
static_cast<void>(b);
return 0;
}
It only fails with -O2 (or -O -O1 -O3)
g++-10 -fanalyzer TestVector.cpp -O2
In copy constructor ‘std::vector<_Tp, _Alloc>::vector(const std::vector<_Tp, _Alloc>&) [with _Tp = Bar; _Alloc = std::allocator<Bar>]’:
cc1plus: warning: dereference of NULL ‘__cur’ [CWE-690] [-Wanalyzer-null-dereference]
‘std::vector<_Tp, _Alloc>::vector(const std::vector<_Tp, _Alloc>&) [with _Tp = Bar; _Alloc = std::allocator<Bar>]’: events 1-2
|
|/usr/include/c++/10/bits/stl_vector.h:553:7:
| 305 | { _M_create_storage(__n); }
| | ~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (2) calling ‘std::_Vector_base<Bar, std::allocator<Bar> >::_M_create_storage’ from ‘std::vector<Bar>::vector’
|......
| 553 | vector(const vector& __x)
| | ^~~~~~
| | |
| | (1) entry to ‘std::vector<Bar>::vector’
|
+--> ‘void std::_Vector_base<_Tp, _Alloc>::_M_create_storage(std::size_t) [with _Tp = Bar; _Alloc = std::allocator<Bar>]’: events 3-5
|
| 346 | return __n != 0 ? _Tr::allocate(_M_impl, __n) : pointer();
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (4) following ‘false’ branch (when ‘__n == 0’)...
|......
| 359 | _M_create_storage(size_t __n)
| | ^~~~~~~~~~~~~~~~~
| | |
| | (3) entry to ‘std::_Vector_base<Bar, std::allocator<Bar> >::_M_create_storage’
| 360 | {
| 361 | this->_M_impl._M_start = this->_M_allocate(__n);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (5) ...to here
|
<------+
|
‘std::vector<_Tp, _Alloc>::vector(const std::vector<_Tp, _Alloc>&) [with _Tp = Bar; _Alloc = std::allocator<Bar>]’: events 6-7
|
| 305 | { _M_create_storage(__n); }
| | ~~~~~~~~~~~~~~~~~^~~~~
| | |
| | (6) returning to ‘std::vector<Bar>::vector’ from ‘std::_Vector_base<Bar, std::allocator<Bar> >::_M_create_storage’
|......
| 558 | std::__uninitialized_copy_a(__x.begin(), __x.end(),
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (7) ‘<unknown>’ is NULL
| 559 | this->_M_impl._M_start,
| | ~~~~~~~~~~~~~~~~~~~~~~~
| 560 | _M_get_Tp_allocator());
| | ~~~~~~~~~~~~~~~~~~~~~~
|
‘std::vector<_Tp, _Alloc>::vector(const std::vector<_Tp, _Alloc>&) [with _Tp = Bar; _Alloc = std::allocator<Bar>]’: event 8
|
|/usr/include/c++/10/bits/stl_uninitialized.h:90:23:
| 90 | for (; __first != __last; ++__first, (void)++__cur)
| | ~~~~~~~~^~~~~~~~~
| | |
| | (8) following ‘true’ branch...
|
‘std::vector<_Tp, _Alloc>::vector(const std::vector<_Tp, _Alloc>&) [with _Tp = Bar; _Alloc = std::allocator<Bar>]’: event 9
|
|/usr/include/c++/10/bits/stl_iterator.h:980:2:
| 980 | ++_M_current;
| | ^~
| | |
| | (9) ...to here
|
‘std::vector<_Tp, _Alloc>::vector(const std::vector<_Tp, _Alloc>&) [with _Tp = Bar; _Alloc = std::allocator<Bar>]’: event 10
|
|cc1plus:
| (10): dereference of NULL ‘__cur’
|
g++-10 -fanalyzer TestVector.cpp -O0
compiles fine.
Removing m_val or the constructor from Bar also compile fine.
$ g++-10 --version
g++-10 (Ubuntu 10.1.0-2ubuntu1~18.04) 10.1.0
Your code is not responsible. GCC is.
Someone reported a similar problem on the gcchelp mailing list, and the response from Mr Wakely was:
It's a known limitation that the analyzer doesn't support C++ yet.
It looks to me like it followed the "true" branch by mistake, though that's interesting because the conditional operator isn't unique to C++.
Unfortunately, this fact of the analyzer doesn't appear to be documented, at least not where the switch is described.