[llvm-bugs] [Bug 175639] clang-analyzer-unix.Malloc false positive

LLVM Bugs via llvm-bugs Mon, 12 Jan 2026 12:13:38 -0800

Issue	175639
Summary	clang-analyzer-unix.Malloc false positive
Labels	false-positive
Assignees
Reporter	nick-potenski

    Using the following code to determine the allocation size for a struct containing a flexible array member leads to false-positives from the clang-analyzer-unix.Malloc checker.


```c
#include <stdlib.h>

typedef struct {
    size_t count;
    int flex_array[];
} flex_array_struct;

int main() {
    flex_array_struct* p = (flex_array_struct*)malloc(
 (size_t)(&(((flex_array_struct*)0)->flex_array[42])));
    p->count = 42;

    free(p);

    return 0;
}
``` 

```
<source>:11:14: warning: Use of memory allocated with size zero [clang-analyzer-unix.Malloc]
    9 |     flex_array_struct* p = (flex_array_struct*)malloc(
      | ~~~~~~~
   10 | (size_t)(&(((flex_array_struct*)0)->flex_array[42])));
      | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   11 |     p->count = 42;
      |              ^
<source>:9:48: note: Memory is allocated
    9 |     flex_array_struct* p = (flex_array_struct*)malloc(
      | ^~~~~~~
   10 | (size_t)(&(((flex_array_struct*)0)->flex_array[42])));
      | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<source>:11:14: note: Use of memory allocated with size zero
    9 |     flex_array_struct* p = (flex_array_struct*)malloc(
      | ~~~~~~~
   10 | (size_t)(&(((flex_array_struct*)0)->flex_array[42])));
      | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   11 |     p->count = 42;
      |              ^
1 warning generated.
``` 

See https://godbolt.org/z/zKKxWxrsM.

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 175639] clang-analyzer-unix.Malloc false positive

Reply via email to