[all-commits] [llvm/llvm-project] be744d: [analyzer] Fix ValistChecker false-positive involv...

[Balazs Benics via All-commits]

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: be744da01f9da0675ba5a3958c03bcd1fdc8ad60
      https://github.com/llvm/llvm-project/commit/be744da01f9da0675ba5a3958c03bcd1fdc8ad60
  Author: Balazs Benics <balazs.benics at sigmatechnology.se>
  Date:   2022-04-26 (Tue, 26 Apr 2022)

  Changed paths:
    M clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp
    M clang/test/Analysis/valist-uninitialized-no-undef.c

  Log Message:
  -----------
  [analyzer] Fix ValistChecker false-positive involving symbolic pointers

In the following example:

  int va_list_get_int(va_list *va) {
    return va_arg(*va, int); // FP
  }

The `*va` expression will be something like `Element{SymRegion{va}, 0, va_list}`.
We use `ElementRegions` for representing the result of the dereference.
In this case, the `IsSymbolic` was set to `false` in the
`getVAListAsRegion()`.

Hence, before checking if the memregion is a SymRegion, we should take
the base of that region.

Analogously to the previous example, one can craft other cases:

  struct MyVaList {
    va_list l;
  };
  int va_list_get_int(struct MyVaList va) {
    return va_arg(va.l, int); // FP
  }

But it would also work if the `va_list` would be in the base or derived
part of a class. `ObjCIvarRegions` are likely also susceptible.
I'm not explicitly demonstrating these cases.

PS: Check the `MemRegion::getBaseRegion()` definition.

Fixes #55009

Reviewed By: xazax.hun

Differential Revision: https://reviews.llvm.org/D124239