diff --git a/compat/arc4random.c b/compat/arc4random.c
index bcef0ec90..b536d3143 100644
--- a/compat/arc4random.c
+++ b/compat/arc4random.c
@@ -140,6 +140,7 @@ nodevrandom:
 static inline void
 _rs_init(u_char *buf, size_t n)
 {
+	assert(buf);
 	if (n < KEYSZ + IVSZ)
 		return;
 
diff --git a/doc/Changelog b/doc/Changelog
index b3fd66c14..3bd7d86c4 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,14 @@
 	- Newer aclocal and libtoolize used for generating configure scripts,
 	  aclocal 1.16.1 and libtoolize 2.4.6.
 	- Fix unit test for python 3.7 new keyword 'async'.
+	- clang analysis fixes, assert arc4random buffer in init,
+	  no check for already checked delegation pointer in iterator,
+	  in testcode check for NULL packet matches, in perf do not copy
+	  from NULL start list when growing capacity.  Adjust host and file
+	  only when present in test header read to please checker.  In
+	  testcode for unknown macro operand give zero result. Initialise the
+	  passed argv array in test code.  In test code add EDNS data
+	  segment copy only when nonempty.
 
 23 January 2018: Wouter
 	- Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 7a62e1281..a3b52806a 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2299,7 +2299,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		errinf(qstate, "auth zone lookup failed, fallback is off");
 		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
 	}
-	if(iq->dp && iq->dp->auth_dp) {
+	if(iq->dp->auth_dp) {
 		/* we wanted to fallback, but had no delegpt, only the
 		 * auth zone generated delegpt, create an actual one */
 		iq->auth_zone_avoid = 1;
diff --git a/testcode/fake_event.c b/testcode/fake_event.c
index 016f70e3d..4fb9bc8ed 100644
--- a/testcode/fake_event.c
+++ b/testcode/fake_event.c
@@ -385,7 +385,7 @@ answer_callback_from_entry(struct replay_runtime* runtime,
 	repinfo.addrlen = pend->addrlen;
 	memcpy(&repinfo.addr, &pend->addr, pend->addrlen);
 	if(!pend->serviced) {
-		if(entry->reply_list->next &&
+		if(entry && entry->reply_list->next &&
 			pend->tcp_pkt_counter < count_reply_packets(entry)) {
 			/* go to next packet next time */
 			pend->tcp_pkt_counter++;
@@ -509,7 +509,7 @@ fake_pending_callback(struct replay_runtime* runtime,
 	repinfo.addrlen = p->addrlen;
 	memcpy(&repinfo.addr, &p->addr, p->addrlen);
 	if(!p->serviced) {
-		if(todo->match->reply_list->next && !error &&
+		if(todo->match && todo->match->reply_list->next && !error &&
 			p->tcp_pkt_counter < count_reply_packets(todo->match)) {
 			/* go to next packet next time */
 			p->tcp_pkt_counter++;
diff --git a/testcode/perf.c b/testcode/perf.c
index 32a5307ed..8e4c5fe91 100644
--- a/testcode/perf.c
+++ b/testcode/perf.c
@@ -513,10 +513,12 @@ qlist_grow_capacity(struct perfinfo* info)
 	uint8_t** d = (uint8_t**)calloc(sizeof(uint8_t*), newcap);
 	size_t* l = (size_t*)calloc(sizeof(size_t), newcap);
 	if(!d || !l) fatal_exit("out of memory");
-	memcpy(d, info->qlist_data, sizeof(uint8_t*)*
-		info->qlist_capacity);
-	memcpy(l, info->qlist_len, sizeof(size_t)*
-		info->qlist_capacity);
+	if(info->qlist_data)
+		memcpy(d, info->qlist_data, sizeof(uint8_t*)*
+			info->qlist_capacity);
+	if(info->qlist_len)
+		memcpy(l, info->qlist_len, sizeof(size_t)*
+			info->qlist_capacity);
 	free(info->qlist_data);
 	free(info->qlist_len);
 	info->qlist_data = d;
diff --git a/testcode/petal.c b/testcode/petal.c
index e1f5f4341..a733017a4 100644
--- a/testcode/petal.c
+++ b/testcode/petal.c
@@ -323,9 +323,9 @@ file_name_is_safe(char* s)
 	return 1;
 }
 
-/** adjust host and filename */
+/** adjust host */
 static void
-adjust_host_file(char* host, char* file)
+adjust_host(char* host)
 {
 	size_t i, len;
 	/* remove a port number if present */
@@ -335,6 +335,13 @@ adjust_host_file(char* host, char* file)
 	len = strlen(host);
 	for(i=0; i<len; i++)
 		host[i] = tolower((unsigned char)host[i]);
+}
+
+/** adjust filename */
+static void
+adjust_file(char* file)
+{
+	size_t i, len;
 	len = strlen(file);
 	for(i=0; i<len; i++)
 		file[i] = tolower((unsigned char)file[i]);
@@ -534,7 +541,8 @@ service_ssl(SSL* ssl, struct sockaddr_storage* from, socklen_t falen)
 	if(!read_http_headers(ssl, file, sizeof(file), host, sizeof(host),
 		&vs))
 		return;
-	adjust_host_file(host, file);
+	if(host[0] != 0) adjust_host(host);
+	if(file[0] != 0) adjust_file(file);
 	if(host[0] == 0 || !host_name_is_safe(host))
 		(void)strlcpy(host, "default", sizeof(host));
 	if(!file_name_is_safe(file)) {
diff --git a/testcode/replay.c b/testcode/replay.c
index 93a600425..84ce50441 100644
--- a/testcode/replay.c
+++ b/testcode/replay.c
@@ -715,6 +715,7 @@ perform_arith(double x, char op, double y, double* res)
 		*res = x*y;
 		break;
 	default:
+		*res = 0;
 		return 0;
 	}
 
diff --git a/testcode/testbound.c b/testcode/testbound.c
index cea74c593..246bc6735 100644
--- a/testcode/testbound.c
+++ b/testcode/testbound.c
@@ -344,6 +344,7 @@ main(int argc, char* argv[])
 
 	/* we do not want the test to depend on the timezone */
 	(void)putenv("TZ=UTC");
+	memset(pass_argv, 0, sizeof(pass_argv));
 
 	log_init(NULL, 0, NULL);
 	/* determine commandline options for the daemon */
diff --git a/testcode/testpkts.c b/testcode/testpkts.c
index 1d89c38fc..6c90567aa 100644
--- a/testcode/testpkts.c
+++ b/testcode/testpkts.c
@@ -513,7 +513,8 @@ add_edns(uint8_t* pktbuf, size_t pktsize, int do_flag, uint8_t *ednsdata,
 	if(*pktlen + sizeof(edns) + ednslen > pktsize)
 		error("not enough space for EDNS OPT record");
 	memmove(pktbuf+*pktlen, edns, sizeof(edns));
-	memmove(pktbuf+*pktlen+sizeof(edns), ednsdata, ednslen);
+	if(ednsdata && ednslen)
+		memmove(pktbuf+*pktlen+sizeof(edns), ednsdata, ednslen);
 	sldns_write_uint16(pktbuf+10, LDNS_ARCOUNT(pktbuf)+1);
 	*pktlen += (sizeof(edns) + ednslen);
 }