Dubious NULL check¶
ID: cpp/dubious-null-checkKind: problemSecurity severity: Severity: warningPrecision: very-highTags: - reliability - readabilityQuery suites: - cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
The expression&foo->bar gets the address offoo’s memberbar, which is the address offoo plus the offset of thebar member. If said offset is non-zero, then the expression&foo->bar only equalsNULL when the address offoo is negative. While this is not impossible, it can only happen iffoo is a negative integer explicitly cast to a pointer, or iffoo is a pointer into kernel-mode address space. As neither of these cases are particularly likely, theNULL-check is dubious.
Recommendation¶
Either theNULL-check is entirely redundant, or the wrong thing is being checked againstNULL. In the former case, the check can be replaced with booleantrue orfalse, and then the surrounding context can be simplified. In the latter case, consider which sub-expressions might beNULL, and test them instead. In particular, simply removing the ampersand may yield a more suitable expression to test.
Example¶
structperson{intid;char*name;};boolhasName(person*p){returnp!=NULL// This check is sensible,&&p->name!=NULL// as is this one.&&&p->name!=NULL;// But this check is dubious.}