You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[analyzer] Consolidate the va_list checkers (#156682)
Previously the analyzer had an undocumented top-level checker group
called `valist` which offered several checkers to detect use of
uninitialized `va_list` objects and leaks of `va_list`s.
As the responsibilities of these checkers were messily intertwined and
`va_list` is a rarely used language feature, this commit simplifies the
situation by consolidating these checkers into a single checker which
will be called `security.VAList`.
Note that I'm choosing the capitalization `VAList` to be consistent with
the example of the AST node type `VAArgExpr`. I updated many variable
names to ensure that `ValistChecker.cpp` uses this spelling everywhere
(in CamelCased names). I'm planning to rename `ValistChecker.cpp` to
`VAListChecker.cpp` in a follow-up commit.
This commit also adds documentation for this checker in checkers.rst.
Among the test files I preserved the existing separation but I
eliminated some duplicated cases now that there is no way to separately
enable the old sub-checkers.
For the background of this change see also the discourse thread
https://discourse.llvm.org/t/clean-up-valist-checkers/85277/3
Copy file name to clipboardExpand all lines: clang/docs/analyzer/checkers.rst
+26Lines changed: 26 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1859,6 +1859,32 @@ this) and always check the return value of these calls.
1859
1859
1860
1860
This check corresponds to SEI CERT Rule `POS36-C <https://wiki.sei.cmu.edu/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges>`_.
1861
1861
1862
+
.. _security-VAList:
1863
+
1864
+
security.VAList (C, C++)
1865
+
""""""""""""""""""""""""
1866
+
Reports use of uninitialized (or already released) ``va_list`` objects and
1867
+
situations where a ``va_start`` call is not followed by ``va_end``.
1868
+
1869
+
Report out of bounds access to memory that is before the start or after the end
1870
+
of the accessed region (array, heap-allocated region, string literal etc.).
1871
+
This usually means incorrect indexing, but the checker also detects access via
1872
+
the operators ``*`` and ``->``.
1873
+
1874
+
.. code-block:: c
1875
+
1876
+
int test_use_after_release(int x, ...) {
1877
+
va_list va;
1878
+
va_start(va, x);
1879
+
va_end(va);
1880
+
return va_arg(va, int); // warn: va is uninitialized
0 commit comments