1e5dd7070Spatrick //== ValistChecker.cpp - stdarg.h macro usage checker -----------*- C++ -*--==//
2e5dd7070Spatrick //
3e5dd7070Spatrick // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4e5dd7070Spatrick // See https://llvm.org/LICENSE.txt for license information.
5e5dd7070Spatrick // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6e5dd7070Spatrick //
7e5dd7070Spatrick //===----------------------------------------------------------------------===//
8e5dd7070Spatrick //
9e5dd7070Spatrick // This defines checkers which detect usage of uninitialized va_list values
10e5dd7070Spatrick // and va_start calls with no matching va_end.
11e5dd7070Spatrick //
12e5dd7070Spatrick //===----------------------------------------------------------------------===//
13e5dd7070Spatrick
14e5dd7070Spatrick #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15e5dd7070Spatrick #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
16e5dd7070Spatrick #include "clang/StaticAnalyzer/Core/Checker.h"
17e5dd7070Spatrick #include "clang/StaticAnalyzer/Core/CheckerManager.h"
18*12c85518Srobert #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
19e5dd7070Spatrick #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
20e5dd7070Spatrick #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
21e5dd7070Spatrick
22e5dd7070Spatrick using namespace clang;
23e5dd7070Spatrick using namespace ento;
24e5dd7070Spatrick
25e5dd7070Spatrick REGISTER_SET_WITH_PROGRAMSTATE(InitializedVALists, const MemRegion *)
26e5dd7070Spatrick
27e5dd7070Spatrick namespace {
28e5dd7070Spatrick typedef SmallVector<const MemRegion *, 2> RegionVector;
29e5dd7070Spatrick
30e5dd7070Spatrick class ValistChecker : public Checker<check::PreCall, check::PreStmt<VAArgExpr>,
31e5dd7070Spatrick check::DeadSymbols> {
32e5dd7070Spatrick mutable std::unique_ptr<BugType> BT_leakedvalist, BT_uninitaccess;
33e5dd7070Spatrick
34e5dd7070Spatrick struct VAListAccepter {
35e5dd7070Spatrick CallDescription Func;
36e5dd7070Spatrick int VAListPos;
37e5dd7070Spatrick };
38e5dd7070Spatrick static const SmallVector<VAListAccepter, 15> VAListAccepters;
39e5dd7070Spatrick static const CallDescription VaStart, VaEnd, VaCopy;
40e5dd7070Spatrick
41e5dd7070Spatrick public:
42e5dd7070Spatrick enum CheckKind {
43e5dd7070Spatrick CK_Uninitialized,
44e5dd7070Spatrick CK_Unterminated,
45e5dd7070Spatrick CK_CopyToSelf,
46e5dd7070Spatrick CK_NumCheckKinds
47e5dd7070Spatrick };
48e5dd7070Spatrick
49*12c85518Srobert bool ChecksEnabled[CK_NumCheckKinds] = {false};
50e5dd7070Spatrick CheckerNameRef CheckNames[CK_NumCheckKinds];
51e5dd7070Spatrick
52e5dd7070Spatrick void checkPreStmt(const VAArgExpr *VAA, CheckerContext &C) const;
53e5dd7070Spatrick void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
54e5dd7070Spatrick void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
55e5dd7070Spatrick
56e5dd7070Spatrick private:
57e5dd7070Spatrick const MemRegion *getVAListAsRegion(SVal SV, const Expr *VAExpr,
58e5dd7070Spatrick bool &IsSymbolic, CheckerContext &C) const;
59e5dd7070Spatrick const ExplodedNode *getStartCallSite(const ExplodedNode *N,
60e5dd7070Spatrick const MemRegion *Reg) const;
61e5dd7070Spatrick
62e5dd7070Spatrick void reportUninitializedAccess(const MemRegion *VAList, StringRef Msg,
63e5dd7070Spatrick CheckerContext &C) const;
64e5dd7070Spatrick void reportLeakedVALists(const RegionVector &LeakedVALists, StringRef Msg1,
65e5dd7070Spatrick StringRef Msg2, CheckerContext &C, ExplodedNode *N,
66e5dd7070Spatrick bool ReportUninit = false) const;
67e5dd7070Spatrick
68e5dd7070Spatrick void checkVAListStartCall(const CallEvent &Call, CheckerContext &C,
69e5dd7070Spatrick bool IsCopy) const;
70e5dd7070Spatrick void checkVAListEndCall(const CallEvent &Call, CheckerContext &C) const;
71e5dd7070Spatrick
72e5dd7070Spatrick class ValistBugVisitor : public BugReporterVisitor {
73e5dd7070Spatrick public:
ValistBugVisitor(const MemRegion * Reg,bool IsLeak=false)74e5dd7070Spatrick ValistBugVisitor(const MemRegion *Reg, bool IsLeak = false)
75e5dd7070Spatrick : Reg(Reg), IsLeak(IsLeak) {}
Profile(llvm::FoldingSetNodeID & ID) const76e5dd7070Spatrick void Profile(llvm::FoldingSetNodeID &ID) const override {
77e5dd7070Spatrick static int X = 0;
78e5dd7070Spatrick ID.AddPointer(&X);
79e5dd7070Spatrick ID.AddPointer(Reg);
80e5dd7070Spatrick }
getEndPath(BugReporterContext & BRC,const ExplodedNode * EndPathNode,PathSensitiveBugReport & BR)81e5dd7070Spatrick PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC,
82e5dd7070Spatrick const ExplodedNode *EndPathNode,
83e5dd7070Spatrick PathSensitiveBugReport &BR) override {
84e5dd7070Spatrick if (!IsLeak)
85e5dd7070Spatrick return nullptr;
86e5dd7070Spatrick
87e5dd7070Spatrick PathDiagnosticLocation L = BR.getLocation();
88e5dd7070Spatrick // Do not add the statement itself as a range in case of leak.
89e5dd7070Spatrick return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(),
90e5dd7070Spatrick false);
91e5dd7070Spatrick }
92e5dd7070Spatrick PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
93e5dd7070Spatrick BugReporterContext &BRC,
94e5dd7070Spatrick PathSensitiveBugReport &BR) override;
95e5dd7070Spatrick
96e5dd7070Spatrick private:
97e5dd7070Spatrick const MemRegion *Reg;
98e5dd7070Spatrick bool IsLeak;
99e5dd7070Spatrick };
100e5dd7070Spatrick };
101e5dd7070Spatrick
102e5dd7070Spatrick const SmallVector<ValistChecker::VAListAccepter, 15>
103*12c85518Srobert ValistChecker::VAListAccepters = {{{{"vfprintf"}, 3}, 2},
104*12c85518Srobert {{{"vfscanf"}, 3}, 2},
105*12c85518Srobert {{{"vprintf"}, 2}, 1},
106*12c85518Srobert {{{"vscanf"}, 2}, 1},
107*12c85518Srobert {{{"vsnprintf"}, 4}, 3},
108*12c85518Srobert {{{"vsprintf"}, 3}, 2},
109*12c85518Srobert {{{"vsscanf"}, 3}, 2},
110*12c85518Srobert {{{"vfwprintf"}, 3}, 2},
111*12c85518Srobert {{{"vfwscanf"}, 3}, 2},
112*12c85518Srobert {{{"vwprintf"}, 2}, 1},
113*12c85518Srobert {{{"vwscanf"}, 2}, 1},
114*12c85518Srobert {{{"vswprintf"}, 4}, 3},
115*12c85518Srobert // vswprintf is the wide version of
116*12c85518Srobert // vsnprintf, vsprintf has no wide version
117*12c85518Srobert {{{"vswscanf"}, 3}, 2}};
118e5dd7070Spatrick
119*12c85518Srobert const CallDescription ValistChecker::VaStart({"__builtin_va_start"}, /*Args=*/2,
120*12c85518Srobert /*Params=*/1),
121*12c85518Srobert ValistChecker::VaCopy({"__builtin_va_copy"}, 2),
122*12c85518Srobert ValistChecker::VaEnd({"__builtin_va_end"}, 1);
123e5dd7070Spatrick } // end anonymous namespace
124e5dd7070Spatrick
checkPreCall(const CallEvent & Call,CheckerContext & C) const125e5dd7070Spatrick void ValistChecker::checkPreCall(const CallEvent &Call,
126e5dd7070Spatrick CheckerContext &C) const {
127e5dd7070Spatrick if (!Call.isGlobalCFunction())
128e5dd7070Spatrick return;
129*12c85518Srobert if (VaStart.matches(Call))
130e5dd7070Spatrick checkVAListStartCall(Call, C, false);
131*12c85518Srobert else if (VaCopy.matches(Call))
132e5dd7070Spatrick checkVAListStartCall(Call, C, true);
133*12c85518Srobert else if (VaEnd.matches(Call))
134e5dd7070Spatrick checkVAListEndCall(Call, C);
135e5dd7070Spatrick else {
136e5dd7070Spatrick for (auto FuncInfo : VAListAccepters) {
137*12c85518Srobert if (!FuncInfo.Func.matches(Call))
138e5dd7070Spatrick continue;
139e5dd7070Spatrick bool Symbolic;
140e5dd7070Spatrick const MemRegion *VAList =
141e5dd7070Spatrick getVAListAsRegion(Call.getArgSVal(FuncInfo.VAListPos),
142e5dd7070Spatrick Call.getArgExpr(FuncInfo.VAListPos), Symbolic, C);
143e5dd7070Spatrick if (!VAList)
144e5dd7070Spatrick return;
145e5dd7070Spatrick
146e5dd7070Spatrick if (C.getState()->contains<InitializedVALists>(VAList))
147e5dd7070Spatrick return;
148e5dd7070Spatrick
149e5dd7070Spatrick // We did not see va_start call, but the source of the region is unknown.
150e5dd7070Spatrick // Be conservative and assume the best.
151e5dd7070Spatrick if (Symbolic)
152e5dd7070Spatrick return;
153e5dd7070Spatrick
154e5dd7070Spatrick SmallString<80> Errmsg("Function '");
155e5dd7070Spatrick Errmsg += FuncInfo.Func.getFunctionName();
156e5dd7070Spatrick Errmsg += "' is called with an uninitialized va_list argument";
157e5dd7070Spatrick reportUninitializedAccess(VAList, Errmsg.c_str(), C);
158e5dd7070Spatrick break;
159e5dd7070Spatrick }
160e5dd7070Spatrick }
161e5dd7070Spatrick }
162e5dd7070Spatrick
getVAListAsRegion(SVal SV,const Expr * E,bool & IsSymbolic,CheckerContext & C) const163e5dd7070Spatrick const MemRegion *ValistChecker::getVAListAsRegion(SVal SV, const Expr *E,
164e5dd7070Spatrick bool &IsSymbolic,
165e5dd7070Spatrick CheckerContext &C) const {
166e5dd7070Spatrick const MemRegion *Reg = SV.getAsRegion();
167e5dd7070Spatrick if (!Reg)
168e5dd7070Spatrick return nullptr;
169e5dd7070Spatrick // TODO: In the future this should be abstracted away by the analyzer.
170e5dd7070Spatrick bool VaListModelledAsArray = false;
171e5dd7070Spatrick if (const auto *Cast = dyn_cast<CastExpr>(E)) {
172e5dd7070Spatrick QualType Ty = Cast->getType();
173e5dd7070Spatrick VaListModelledAsArray =
174e5dd7070Spatrick Ty->isPointerType() && Ty->getPointeeType()->isRecordType();
175e5dd7070Spatrick }
176e5dd7070Spatrick if (const auto *DeclReg = Reg->getAs<DeclRegion>()) {
177e5dd7070Spatrick if (isa<ParmVarDecl>(DeclReg->getDecl()))
178e5dd7070Spatrick Reg = C.getState()->getSVal(SV.castAs<Loc>()).getAsRegion();
179e5dd7070Spatrick }
180*12c85518Srobert IsSymbolic = Reg && Reg->getBaseRegion()->getAs<SymbolicRegion>();
181e5dd7070Spatrick // Some VarRegion based VA lists reach here as ElementRegions.
182e5dd7070Spatrick const auto *EReg = dyn_cast_or_null<ElementRegion>(Reg);
183e5dd7070Spatrick return (EReg && VaListModelledAsArray) ? EReg->getSuperRegion() : Reg;
184e5dd7070Spatrick }
185e5dd7070Spatrick
checkPreStmt(const VAArgExpr * VAA,CheckerContext & C) const186e5dd7070Spatrick void ValistChecker::checkPreStmt(const VAArgExpr *VAA,
187e5dd7070Spatrick CheckerContext &C) const {
188e5dd7070Spatrick ProgramStateRef State = C.getState();
189e5dd7070Spatrick const Expr *VASubExpr = VAA->getSubExpr();
190e5dd7070Spatrick SVal VAListSVal = C.getSVal(VASubExpr);
191e5dd7070Spatrick bool Symbolic;
192e5dd7070Spatrick const MemRegion *VAList =
193e5dd7070Spatrick getVAListAsRegion(VAListSVal, VASubExpr, Symbolic, C);
194e5dd7070Spatrick if (!VAList)
195e5dd7070Spatrick return;
196e5dd7070Spatrick if (Symbolic)
197e5dd7070Spatrick return;
198e5dd7070Spatrick if (!State->contains<InitializedVALists>(VAList))
199e5dd7070Spatrick reportUninitializedAccess(
200e5dd7070Spatrick VAList, "va_arg() is called on an uninitialized va_list", C);
201e5dd7070Spatrick }
202e5dd7070Spatrick
checkDeadSymbols(SymbolReaper & SR,CheckerContext & C) const203e5dd7070Spatrick void ValistChecker::checkDeadSymbols(SymbolReaper &SR,
204e5dd7070Spatrick CheckerContext &C) const {
205e5dd7070Spatrick ProgramStateRef State = C.getState();
206e5dd7070Spatrick InitializedVAListsTy TrackedVALists = State->get<InitializedVALists>();
207e5dd7070Spatrick RegionVector LeakedVALists;
208e5dd7070Spatrick for (auto Reg : TrackedVALists) {
209e5dd7070Spatrick if (SR.isLiveRegion(Reg))
210e5dd7070Spatrick continue;
211e5dd7070Spatrick LeakedVALists.push_back(Reg);
212e5dd7070Spatrick State = State->remove<InitializedVALists>(Reg);
213e5dd7070Spatrick }
214e5dd7070Spatrick if (ExplodedNode *N = C.addTransition(State))
215e5dd7070Spatrick reportLeakedVALists(LeakedVALists, "Initialized va_list", " is leaked", C,
216e5dd7070Spatrick N);
217e5dd7070Spatrick }
218e5dd7070Spatrick
219e5dd7070Spatrick // This function traverses the exploded graph backwards and finds the node where
220e5dd7070Spatrick // the va_list is initialized. That node is used for uniquing the bug paths.
221e5dd7070Spatrick // It is not likely that there are several different va_lists that belongs to
222e5dd7070Spatrick // different stack frames, so that case is not yet handled.
223e5dd7070Spatrick const ExplodedNode *
getStartCallSite(const ExplodedNode * N,const MemRegion * Reg) const224e5dd7070Spatrick ValistChecker::getStartCallSite(const ExplodedNode *N,
225e5dd7070Spatrick const MemRegion *Reg) const {
226e5dd7070Spatrick const LocationContext *LeakContext = N->getLocationContext();
227e5dd7070Spatrick const ExplodedNode *StartCallNode = N;
228e5dd7070Spatrick
229e5dd7070Spatrick bool FoundInitializedState = false;
230e5dd7070Spatrick
231e5dd7070Spatrick while (N) {
232e5dd7070Spatrick ProgramStateRef State = N->getState();
233e5dd7070Spatrick if (!State->contains<InitializedVALists>(Reg)) {
234e5dd7070Spatrick if (FoundInitializedState)
235e5dd7070Spatrick break;
236e5dd7070Spatrick } else {
237e5dd7070Spatrick FoundInitializedState = true;
238e5dd7070Spatrick }
239e5dd7070Spatrick const LocationContext *NContext = N->getLocationContext();
240e5dd7070Spatrick if (NContext == LeakContext || NContext->isParentOf(LeakContext))
241e5dd7070Spatrick StartCallNode = N;
242e5dd7070Spatrick N = N->pred_empty() ? nullptr : *(N->pred_begin());
243e5dd7070Spatrick }
244e5dd7070Spatrick
245e5dd7070Spatrick return StartCallNode;
246e5dd7070Spatrick }
247e5dd7070Spatrick
reportUninitializedAccess(const MemRegion * VAList,StringRef Msg,CheckerContext & C) const248e5dd7070Spatrick void ValistChecker::reportUninitializedAccess(const MemRegion *VAList,
249e5dd7070Spatrick StringRef Msg,
250e5dd7070Spatrick CheckerContext &C) const {
251e5dd7070Spatrick if (!ChecksEnabled[CK_Uninitialized])
252e5dd7070Spatrick return;
253e5dd7070Spatrick if (ExplodedNode *N = C.generateErrorNode()) {
254e5dd7070Spatrick if (!BT_uninitaccess)
255e5dd7070Spatrick BT_uninitaccess.reset(new BugType(CheckNames[CK_Uninitialized],
256e5dd7070Spatrick "Uninitialized va_list",
257e5dd7070Spatrick categories::MemoryError));
258e5dd7070Spatrick auto R = std::make_unique<PathSensitiveBugReport>(*BT_uninitaccess, Msg, N);
259e5dd7070Spatrick R->markInteresting(VAList);
260e5dd7070Spatrick R->addVisitor(std::make_unique<ValistBugVisitor>(VAList));
261e5dd7070Spatrick C.emitReport(std::move(R));
262e5dd7070Spatrick }
263e5dd7070Spatrick }
264e5dd7070Spatrick
reportLeakedVALists(const RegionVector & LeakedVALists,StringRef Msg1,StringRef Msg2,CheckerContext & C,ExplodedNode * N,bool ReportUninit) const265e5dd7070Spatrick void ValistChecker::reportLeakedVALists(const RegionVector &LeakedVALists,
266e5dd7070Spatrick StringRef Msg1, StringRef Msg2,
267e5dd7070Spatrick CheckerContext &C, ExplodedNode *N,
268e5dd7070Spatrick bool ReportUninit) const {
269e5dd7070Spatrick if (!(ChecksEnabled[CK_Unterminated] ||
270e5dd7070Spatrick (ChecksEnabled[CK_Uninitialized] && ReportUninit)))
271e5dd7070Spatrick return;
272e5dd7070Spatrick for (auto Reg : LeakedVALists) {
273e5dd7070Spatrick if (!BT_leakedvalist) {
274e5dd7070Spatrick // FIXME: maybe creating a new check name for this type of bug is a better
275e5dd7070Spatrick // solution.
276e5dd7070Spatrick BT_leakedvalist.reset(
277e5dd7070Spatrick new BugType(CheckNames[CK_Unterminated].getName().empty()
278e5dd7070Spatrick ? CheckNames[CK_Uninitialized]
279e5dd7070Spatrick : CheckNames[CK_Unterminated],
280e5dd7070Spatrick "Leaked va_list", categories::MemoryError,
281e5dd7070Spatrick /*SuppressOnSink=*/true));
282e5dd7070Spatrick }
283e5dd7070Spatrick
284e5dd7070Spatrick const ExplodedNode *StartNode = getStartCallSite(N, Reg);
285e5dd7070Spatrick PathDiagnosticLocation LocUsedForUniqueing;
286e5dd7070Spatrick
287e5dd7070Spatrick if (const Stmt *StartCallStmt = StartNode->getStmtForDiagnostics())
288e5dd7070Spatrick LocUsedForUniqueing = PathDiagnosticLocation::createBegin(
289e5dd7070Spatrick StartCallStmt, C.getSourceManager(), StartNode->getLocationContext());
290e5dd7070Spatrick
291e5dd7070Spatrick SmallString<100> Buf;
292e5dd7070Spatrick llvm::raw_svector_ostream OS(Buf);
293e5dd7070Spatrick OS << Msg1;
294e5dd7070Spatrick std::string VariableName = Reg->getDescriptiveName();
295e5dd7070Spatrick if (!VariableName.empty())
296e5dd7070Spatrick OS << " " << VariableName;
297e5dd7070Spatrick OS << Msg2;
298e5dd7070Spatrick
299e5dd7070Spatrick auto R = std::make_unique<PathSensitiveBugReport>(
300e5dd7070Spatrick *BT_leakedvalist, OS.str(), N, LocUsedForUniqueing,
301e5dd7070Spatrick StartNode->getLocationContext()->getDecl());
302e5dd7070Spatrick R->markInteresting(Reg);
303e5dd7070Spatrick R->addVisitor(std::make_unique<ValistBugVisitor>(Reg, true));
304e5dd7070Spatrick C.emitReport(std::move(R));
305e5dd7070Spatrick }
306e5dd7070Spatrick }
307e5dd7070Spatrick
checkVAListStartCall(const CallEvent & Call,CheckerContext & C,bool IsCopy) const308e5dd7070Spatrick void ValistChecker::checkVAListStartCall(const CallEvent &Call,
309e5dd7070Spatrick CheckerContext &C, bool IsCopy) const {
310e5dd7070Spatrick bool Symbolic;
311e5dd7070Spatrick const MemRegion *VAList =
312e5dd7070Spatrick getVAListAsRegion(Call.getArgSVal(0), Call.getArgExpr(0), Symbolic, C);
313e5dd7070Spatrick if (!VAList)
314e5dd7070Spatrick return;
315e5dd7070Spatrick
316e5dd7070Spatrick ProgramStateRef State = C.getState();
317e5dd7070Spatrick
318e5dd7070Spatrick if (IsCopy) {
319e5dd7070Spatrick const MemRegion *Arg2 =
320e5dd7070Spatrick getVAListAsRegion(Call.getArgSVal(1), Call.getArgExpr(1), Symbolic, C);
321e5dd7070Spatrick if (Arg2) {
322e5dd7070Spatrick if (ChecksEnabled[CK_CopyToSelf] && VAList == Arg2) {
323e5dd7070Spatrick RegionVector LeakedVALists{VAList};
324e5dd7070Spatrick if (ExplodedNode *N = C.addTransition(State))
325e5dd7070Spatrick reportLeakedVALists(LeakedVALists, "va_list",
326e5dd7070Spatrick " is copied onto itself", C, N, true);
327e5dd7070Spatrick return;
328e5dd7070Spatrick } else if (!State->contains<InitializedVALists>(Arg2) && !Symbolic) {
329e5dd7070Spatrick if (State->contains<InitializedVALists>(VAList)) {
330e5dd7070Spatrick State = State->remove<InitializedVALists>(VAList);
331e5dd7070Spatrick RegionVector LeakedVALists{VAList};
332e5dd7070Spatrick if (ExplodedNode *N = C.addTransition(State))
333e5dd7070Spatrick reportLeakedVALists(LeakedVALists, "Initialized va_list",
334e5dd7070Spatrick " is overwritten by an uninitialized one", C, N,
335e5dd7070Spatrick true);
336e5dd7070Spatrick } else {
337e5dd7070Spatrick reportUninitializedAccess(Arg2, "Uninitialized va_list is copied", C);
338e5dd7070Spatrick }
339e5dd7070Spatrick return;
340e5dd7070Spatrick }
341e5dd7070Spatrick }
342e5dd7070Spatrick }
343e5dd7070Spatrick if (State->contains<InitializedVALists>(VAList)) {
344e5dd7070Spatrick RegionVector LeakedVALists{VAList};
345e5dd7070Spatrick if (ExplodedNode *N = C.addTransition(State))
346e5dd7070Spatrick reportLeakedVALists(LeakedVALists, "Initialized va_list",
347e5dd7070Spatrick " is initialized again", C, N);
348e5dd7070Spatrick return;
349e5dd7070Spatrick }
350e5dd7070Spatrick
351e5dd7070Spatrick State = State->add<InitializedVALists>(VAList);
352e5dd7070Spatrick C.addTransition(State);
353e5dd7070Spatrick }
354e5dd7070Spatrick
checkVAListEndCall(const CallEvent & Call,CheckerContext & C) const355e5dd7070Spatrick void ValistChecker::checkVAListEndCall(const CallEvent &Call,
356e5dd7070Spatrick CheckerContext &C) const {
357e5dd7070Spatrick bool Symbolic;
358e5dd7070Spatrick const MemRegion *VAList =
359e5dd7070Spatrick getVAListAsRegion(Call.getArgSVal(0), Call.getArgExpr(0), Symbolic, C);
360e5dd7070Spatrick if (!VAList)
361e5dd7070Spatrick return;
362e5dd7070Spatrick
363e5dd7070Spatrick // We did not see va_start call, but the source of the region is unknown.
364e5dd7070Spatrick // Be conservative and assume the best.
365e5dd7070Spatrick if (Symbolic)
366e5dd7070Spatrick return;
367e5dd7070Spatrick
368e5dd7070Spatrick if (!C.getState()->contains<InitializedVALists>(VAList)) {
369e5dd7070Spatrick reportUninitializedAccess(
370e5dd7070Spatrick VAList, "va_end() is called on an uninitialized va_list", C);
371e5dd7070Spatrick return;
372e5dd7070Spatrick }
373e5dd7070Spatrick ProgramStateRef State = C.getState();
374e5dd7070Spatrick State = State->remove<InitializedVALists>(VAList);
375e5dd7070Spatrick C.addTransition(State);
376e5dd7070Spatrick }
377e5dd7070Spatrick
VisitNode(const ExplodedNode * N,BugReporterContext & BRC,PathSensitiveBugReport &)378e5dd7070Spatrick PathDiagnosticPieceRef ValistChecker::ValistBugVisitor::VisitNode(
379e5dd7070Spatrick const ExplodedNode *N, BugReporterContext &BRC, PathSensitiveBugReport &) {
380e5dd7070Spatrick ProgramStateRef State = N->getState();
381e5dd7070Spatrick ProgramStateRef StatePrev = N->getFirstPred()->getState();
382e5dd7070Spatrick
383e5dd7070Spatrick const Stmt *S = N->getStmtForDiagnostics();
384e5dd7070Spatrick if (!S)
385e5dd7070Spatrick return nullptr;
386e5dd7070Spatrick
387e5dd7070Spatrick StringRef Msg;
388e5dd7070Spatrick if (State->contains<InitializedVALists>(Reg) &&
389e5dd7070Spatrick !StatePrev->contains<InitializedVALists>(Reg))
390e5dd7070Spatrick Msg = "Initialized va_list";
391e5dd7070Spatrick else if (!State->contains<InitializedVALists>(Reg) &&
392e5dd7070Spatrick StatePrev->contains<InitializedVALists>(Reg))
393e5dd7070Spatrick Msg = "Ended va_list";
394e5dd7070Spatrick
395e5dd7070Spatrick if (Msg.empty())
396e5dd7070Spatrick return nullptr;
397e5dd7070Spatrick
398e5dd7070Spatrick PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
399e5dd7070Spatrick N->getLocationContext());
400e5dd7070Spatrick return std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true);
401e5dd7070Spatrick }
402e5dd7070Spatrick
registerValistBase(CheckerManager & mgr)403e5dd7070Spatrick void ento::registerValistBase(CheckerManager &mgr) {
404e5dd7070Spatrick mgr.registerChecker<ValistChecker>();
405e5dd7070Spatrick }
406e5dd7070Spatrick
shouldRegisterValistBase(const CheckerManager & mgr)407ec727ea7Spatrick bool ento::shouldRegisterValistBase(const CheckerManager &mgr) {
408e5dd7070Spatrick return true;
409e5dd7070Spatrick }
410e5dd7070Spatrick
411e5dd7070Spatrick #define REGISTER_CHECKER(name) \
412e5dd7070Spatrick void ento::register##name##Checker(CheckerManager &mgr) { \
413e5dd7070Spatrick ValistChecker *checker = mgr.getChecker<ValistChecker>(); \
414e5dd7070Spatrick checker->ChecksEnabled[ValistChecker::CK_##name] = true; \
415e5dd7070Spatrick checker->CheckNames[ValistChecker::CK_##name] = \
416e5dd7070Spatrick mgr.getCurrentCheckerName(); \
417e5dd7070Spatrick } \
418e5dd7070Spatrick \
419ec727ea7Spatrick bool ento::shouldRegister##name##Checker(const CheckerManager &mgr) { \
420e5dd7070Spatrick return true; \
421e5dd7070Spatrick }
422e5dd7070Spatrick
423e5dd7070Spatrick REGISTER_CHECKER(Uninitialized)
424e5dd7070Spatrick REGISTER_CHECKER(Unterminated)
425e5dd7070Spatrick REGISTER_CHECKER(CopyToSelf)
426