[all-commits] [llvm/llvm-project] b642e8: [analyzer] Improve messaging in security.VAList (#...

Thu Sep 11 08:57:44 PDT 2025

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: b642e8bfbb89c45ea7073ba9db5d1e31a6542e3c
      https://github.com/llvm/llvm-project/commit/b642e8bfbb89c45ea7073ba9db5d1e31a6542e3c
  Author: Donát Nagy <donat.nagy at ericsson.com>
  Date:   2025-09-11 (Thu, 11 Sep 2025)

  Changed paths:
    M clang/lib/StaticAnalyzer/Checkers/VAListChecker.cpp
    M clang/test/Analysis/valist-uninitialized-no-undef.c
    M clang/test/Analysis/valist-uninitialized.c
    M clang/test/Analysis/valist-unterminated.c

  Log Message:
  -----------
  [analyzer] Improve messaging in security.VAList (#157846)

Previously the checker `security.VAList` only tracked the set of the
inintialized `va_list` objects; this commit replaces this with a mapping
that can distinguish the "uninitialized" `va_list` objects from the
"already released" ones. Moreover, a new "unknown" state is introduced
to replace the slightly hacky solutions that checked the `Symbolic`
nature of the region.

In addition to sligthly improving the messages, this commit also
prepares the ground for a follow-up change that would introduce an
"indeterminate" state (which needs `va_end` but cannot be otherwise
used) to model the requirements of SEI CERT rule MSC39-C, which states:

> The va_list may be passed as an argument to another function, but
> calling va_arg() within that function causes the va_list to have an
> indeterminate value in the calling function. As a result, attempting
> to read variable arguments without reinitializing the va_list can have
> unexpected behavior.

To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications