Clang Static Analyzer core.NullDereference false positive for `*e = (0 == e)`

[Geoffrey1014]

date: 2022-10-25 commit: 8c1a508616b438ace29429f4da3f4912772c5503 args: --analyze --analyzer-output text test:

# include <stdio.h>

void a(int *e) {
//   printf("NPD_FLAG: %d\n", e[0]);
    *e = (0 == e);
}
int main() {
    int d[4];
    for (int c =0 ; c < 4; c++)
        ;
    a(d);
    return 0;
}

report: https://github.com/llvm/llvm-project/issues/58621 fix: original:

[Geoffrey1014]

I got a false positive error when compiling the following "minimal, complete and verifiable example (MCVE)" program:

# include <stdio.h>

void a(int *e) {
//   printf("NPD_FLAG: %d\n", e[0]);
    *e = (0 == e);
}
int main() {
    int d[4];
    for (int c =0 ; c < 4; c++)
        ;
    a(d);
    return 0;
}

Compiling the above code with Clang (trunk) with --analyze --analyzer-output text in https://godbolt.org/z/nfrbd4P5h results in :

<source>:5:8: warning: Dereference of null pointer (loaded from variable 'e') [core.NullDereference]
    *e = (0 == e);
     ~ ^
<source>:5:11: note: Assuming 'e' is equal to null
    *e = (0 == e);
          ^~~~~~
<source>:5:8: note: Dereference of null pointer (loaded from variable 'e')
    *e = (0 == e);
     ~ ^
1 warning generated.
Compiler returned: 0

But the false positive error will disappear, if I change the "c < 4" to "c < 3" or comment lines 9-10 as the following two:

# include <stdio.h>

void a(int *e) {
//   printf("NPD_FLAG: %d\n", e[0]);
    *e = (0 == e);
}
int main() {
    int d[4];
    for (int c =0 ; c < 3; c++)
        ;
    a(d);
    return 0;
}

# include <stdio.h>

void a(int *e) {
//   printf("NPD_FLAG: %d\n", e[0]);
    *e = (0 == e);
}
int main() {
    int d[4];
    //for (int c =0 ; c < 4; c++)
    //    ;
    a(d);
    return 0;
}

[ghost]

GSA not FP: https://godbolt.org/z/16Eb5oq7Y