<html>

    <head>

      <base href="http://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - [analyzer] False positive with zero guard in malloc"

   href="http://llvm.org/bugs/show_bug.cgi?id=16558">16558</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[analyzer] False positive with zero guard in malloc

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Static Analyzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>kremenek@apple.com

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>solo-cfe@goeswhere.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvmbugs@cs.uiuc.edu

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Using clang 1:3.4~svn185771-1~exp1 (llvm-toolchain-wheezy), the code (note the

malloc(1) case):

#include <stdint.h>

#include <string.h>

#include <stdlib.h>

void *smalloc(size_t size) {

    if (size == 0) {

        return malloc(1);

    } else {

        return malloc(size);

    }

}

char *dupstr(const char *s) {

    const int len = strlen(s);

    char *p = smalloc(len + 1);

    strcpy(p, s);

    return p;

}

% clang -Weverything --analyze -c that.c

misc.c:16:5: warning: String copy function overflows destination buffer

    strcpy(p, s);

    ^~~~~~~~~~~~

1 warning generated.

Size cannot be zero, and, even if it is, the behaviour is still correct? 

Removing the size == 0 case fixes this.

I can't even fathom what's going on here.  To be clear: I believe this code is

correct and I don't know why an error is coming out.

Sample derived from real code; it wants to always return at least a zero-length

string (i.e. one byte), but the s(afe)malloc reimplementation is used

everywhere, and most analysises hence fail.

--

Debian clang version 3.4-1~exp1 (trunk) (based on LLVM 3.4)

Target: x86_64-pc-linux-gnu

Thread model: posix

Linux om 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>