At [2] it takes the false branch, which should be impossible given the logic in the assert() at line 1247, and the assumption of NULL at [1[a]].
I'm using the clang / scan-build in packaged Ubuntu 10.10.
Also, it would be helpful if, instead of saying "pointer value" in "[a] Assuming pointer value is null", it actually gave the name of the pointer it meant (user->prev). It's a bit ambiguous at the moment as there are other pointer values there.
Extended Description
This screenshot of a dereference of NULL pointer report shows a false positive.
http://www.netsurf-browser.org/temp/content-llcache2.png
At [2] it takes the false branch, which should be impossible given the logic in the assert() at line 1247, and the assumption of NULL at [1[a]].
I'm using the clang / scan-build in packaged Ubuntu 10.10.
Also, it would be helpful if, instead of saying "pointer value" in "[a] Assuming pointer value is null", it actually gave the name of the pointer it meant (user->prev). It's a bit ambiguous at the moment as there are other pointer values there.