Incorrect "Called C++ object pointer is null" report -- when user code NULL-checks the dynamically casted value

[vakatov]

It looks that when the Static Analyzer sees a code branch which checks for a NULL dynamically casted value, then it (mistakenly) decides that the original pointer therefore is liable to be NULL as well:

$ cat test.cpp
class A { public: virtual void f(); };
class B : public A { public: virtual void f(); void fb(); };

void g(A* a)
{
    B* b = dynamic_cast<B*>(a);
    if (b)
        b->fb();
    else
        a->f();
}

$ /usr/local/llvm/20.1.1/bin/clang++ --analyze test.cpp
test.cpp:10:9: warning: Called C++ object pointer is null [core.CallAndMessage]
   10 |         a->f();
      |         ^~~~~~
1 warning generated.

[llvmbot]

@llvm/issue-subscribers-clang-static-analyzer

Author: Denis Vakatov, NCBI (vakatov)

It looks that when the Static Analyzer sees a code branch which checks for a NULL **dynamically casted** value, then it (mistakenly) decides that the original pointer therefore is liable to be NULL as well:

class A { public: virtual void f(void) const; };
class B : public A { public: virtual void f(void) const; };

void g(const A* a)
{
    const B* b = dynamic_cast<const B*>(a);
    if (b) {
        b->f();
        return;
    }
    a->f();
}

$ /usr/local/llvm/20.1.1/bin/clang++ --analyze fp.cpp
fp.cpp:11:5: warning: Called C++ object pointer is null [core.CallAndMessage]
   11 |     a->f();
      |     ^~~~~~
1 warning generated.

[vakatov]

We have quite a few such false positives reported for our code.

N.B. I improved the code in the sample a little (it looked a tad silly before... although it still illustrated the problem).

[haoNoQ]

Interactive example with full path notes: https://godbolt.org/z/4YEbvx8Yv

Basically, yeah, dynamic_cast can do one of the three things:

• Take a non-null pointer, pass it through confirming that the object is of the right type.
• Take a non-null pointer, return null because the object is of the wrong type.
• Take a null pointer, return null without learning any new information about any objects.

The third possibility is quite different from the first two for our modeling purposes, but even then, we probably shouldn't be considering it proactively just because dynamic_cast was applied to the pointer. Definitely not without a proper path note explaining what happened. Your code is completely normal so this is a false positive and we gotta fix it.

You can suppress these false positives by saying assert(a) at the beginning. (Or anywhere else.) (I included it in the godbolt example.)

[vakatov]

Great, thanks!