Dereference of a null pointer

NULL pointer dereferenced

Description

This defect occurs when you use a pointer with a value of NULL as if it points to a valid memory location. If you dereference the zero address, such as 0x00, Polyspace^® considers the null address as equivalent to NULL and raises this defect.

Risk

Dereferencing a null pointer is undefined behavior. In most implementations, the dereference can cause your program to crash.

Fix

Check a pointer for NULL before dereference.

If the issue occurs despite an earlier check for NULL, look for intermediate events between the check and the subsequent dereference. Often the result details (or source code tooltips in Polyspace as You Code) show a sequence of events that led to the defect. You can implement the fix on any event in the sequence. If the result details do not show this event history, you can search for previous references of variables relevant to the defect using right-click options in the source code and find related events. See also Interpret Bug Finder Results in Polyspace Desktop User Interface or Interpret Bug Finder Results in Polyspace Access Web Interface (Polyspace Access).

See examples of fixes below.

Extend Checker

A default Bug Finder analysis might not raise this defect when the input values are unknown and only a subset of inputs cause an issue. To check for defects caused by specific system input values, run a stricter Bug Finder analysis. See Extend Bug Finder Checkers to Find Defects from Specific System Input Values.

Examples

expand all

Null pointer error

#include <stdlib.h>

int FindMax(int *arr, int Size) 
{
 int* p=NULL;

 *p=arr[0];
 /* Defect: Null pointer dereference */

 for(int i=0;i<Size;i++)
  {
   if(arr[i] > (*p))
     *p=arr[i];    
  }

 return *p;
}

The pointer p is initialized with value of NULL. However, when the value arr[0] is written to *p, p is assumed to point to a valid memory location.

Correction — Assign Address to Null Pointer Before Dereference

One possible correction is to initialize p with a valid memory address before dereference.

#include <stdlib.h>

int FindMax(int *arr, int Size) 
{
 /* Fix: Assign address to null pointer */
 int* p=&arr[0];       

 for(int i=0;i<Size;i++)
  {
   if(arr[i] > (*p))
     *p=arr[i];    
  }

 return *p;
}

Result Information

Group: Static memory

Language: C | C++

Default: On

Command-Line Syntax: NULL_PTR

Impact: High

Version History

Introduced in R2013b

expand all

R2023a: Defect not reported if dereferenced pointer is `NULL` only in error states

Polyspace no longer reports these defects if you dereference pointers that can be NULL only in certain error states. In this code, the pointer *x can be NULL if the input a is NULL. The error state (a==NULL) might be checked and remedied elsewhere in your code. Starting in R2023a, Polyspace does not flag dereferencing *x or arithmetic operations on *x.

struct A {
    int i;
    int j;
};


int *foo(struct A* a) {

    if (a == NULL) {
        return 0;
    }
    return &(a->j);
}


void bar(struct A* b) {
    int * x = foo(b);
    *x = 0; //Compliant
}

Dereference of a null pointer

Description

Risk

Fix

Extend Checker

Examples

Null pointer error

Result Information

Version History

R2023a: Defect not reported if dereferenced pointer is `NULL` only in error states

See Also

Topics

Dereference of a null pointer

Description

Risk

Fix

Extend Checker

Examples

Null pointer error

Result Information

Version History

R2023a: Defect not reported if dereferenced pointer is NULL only in error states

See Also

Topics

R2023a: Defect not reported if dereferenced pointer is `NULL` only in error states