False positive for S2637 on c++


I’m experiencing a false-positive for S2637 with SonarCloud here https://sonarcloud.io/project/issues?resolved=false&severities=MINOR&types=BUG&id=L-Acoustics_avdecc&open=AYPLCelZQ_TgyqSxpM1J

I think the issue might be related to the fact that it goes through a macro before going to the actual function.
Basically, AVDECC_ASSERT_WITH_RET will return the condition passed in 1st parameter as a boolean, so in this case 4 (assuming pointer value is null) and 5 (assuming the condition is true) are mutually exclusive.

PS: I tried to tag this post for c++ but the optional tag doesn’t let me do it (so I tagged for C).


Hi @christophe-calmejane
Welcome to our community and thank you for reporting a false positive!

You are right in your guess. The issue comes from the way our analyzer handles

AVDECC_ASSERT_WITH_RET(commandSpecificData != nullptr, "commandSpecificData must not be nullptr")

Uncommonly, the macro does no harm here. The analyzer can see through macro and interpret its definition in the context of its invocation.

It is the thing it is defined to that is the trouble. This macro is substituted with a call to avdeccAssert function. This function is not defined in the translation unit corresponding to protocolAemAecpdu.cpp.

Our analyzer does not support cross-translation-unit analysis at the moment, so it cannot see that avdeccAssert returns its argument. We do not have any estimate of when we will be able to resolve this.