Hi @SRenick,
Thank you for providing me with the reproducer file, I have looked into it.
This is indeed a false positive for S3807 (and S2259 in the reproducer file you sent me).
The root cause of this false positive is the limitation of our analysis: it considers a single translation unit at a time, i.e., the analyzer sees only 1 .cc file + transitive closure of its included headers.
We are aware of this limitation but have no specific plan to handle it in the near future. You can track it with CPP-4723.
Specifically, in your case, it is the RSEncode function body that is missing (which is named slightly differently in the reproducer file you sent me). The function is declared, but it is not defined in the translation unit of the .cc file you’ve sent me. This puts the analyzer into the situation I was in when trying to reproduce the issue based on your code snippet:
The analyzer can see only the declaration of the function without the body, so it cannot know that the branch with null-dereference is impossible because a particular bit is set in the return value.
The only workaround I can suggest here is to make the definition of RSEncode available in the header file, which is, unfortunately, restructuring the code. Until we address the limitation of the analyzer, that is the only way to fix such false positives that I know of.
Let me know if you have further questions.