This warning is reported in situations where a null object reference is dereferenced, then compared with null, and there are no object reference changes on the trace between dereferencing and checking. So, it is very likely that at dereferencing, the object reference might be null, or the null check is improper.

Vulnerability and risk

Identifies one of three things:

  • A pointer that can be null by design was dereferenced without a proper check, and this will lead to a runtime error.
  • A condition is written incorrectly and, therefore, the code will not work as intended.
  • There is a redundant check; unnecessary code will be generated.

Example 1

1                  public class A {
2                      public void foo() {
3                          A a = null;
4                          a.foo();
5                          if (a == null)
6                              a = new A();
7                      }
8                  }

Klocwork produces an issue report (CS.RNRE) at line 4 for variable 'a'. It's dereferenced at line 4 by calling method 'foo' and then, at line 5, 'a' is checked with null in if statement.

Security training

Application security training materials provided by Secure Code Warrior.