False positive for C++/MFC code

it seems we got a false positive on C++ rule “Null pointers should not be dereferenced[cpp:S2259]”.
We are using SonarQube

This issue is raised on this code:

CString strKey;
strKey.Format(_T("%s"), bstrKey);
if (!m_pMapPairs)
	AfxThrowOleDispatchException(-1, _T("No map set for this CaptureBarcode object."));
CString strValue;
if (m_pMapPairs->Lookup(strKey, strValue))
	return TRUE;
        return FALSE;

The issue is reported for the access to m_pMapPairs, although this is already checked for null in:

if (!m_pMapPairs)
		AfxThrowOleDispatchException(-1, _T("No map set for this CaptureBarcode object."));

So when really null then this dereferencing code is never reached.

Is this a known issue? Would checking (m_pMapPairs == nullptr) instead of (!m_pMapPairs) fix this false positive? What further information can we provide?


Hi @Wolfgang_Gogg!

My guess is that AfxThrowOleDispatchException() is not marked noreturn, and because of that, we think the control can fall through on that branch(where m_pMapPairs is null) reaching the dereference.

I would recommend you generate a reproducer and send it to us on some channel to investigate your case(s).

To generate the reproducer file:

  • Search in the analysis log for the full path of the source file for which you want to create a reproducer (for instance, a file that contains a false-positive). You will have to use exactly this name (same case, / or \…)
  • Add the reproducer option to the scanner configuration:
    sonar.cfamily.reproducer=“Full path to the .cpp”
  • Re-run the scanner to generate a file named sonar-cfamily.reproducer in the project folder.
  • Please share this file. If you think this file contains private information, let us know, and we’ll send you a private message that will allow you to send it privately.