This is an archive of the discontinued LLVM Phabricator instance.

Differential D30157

[analyzer] Improve valist check
ClosedPublic

Authored by xazax.hun on Feb 19 2017, 10:54 AM.

Details

Reviewers
zaks.anna
NoQ
Commits
rGdbf2790a1f7f: [analyzer] Improve valist checks and move it out from alpha state.
rC297153: [analyzer] Improve valist checks and move it out from alpha state.
rL297153: [analyzer] Improve valist checks and move it out from alpha state.
Summary

This patch makes the valist check more robust to the different kind of ASTs that are generated on different platforms:

Generated on x86_64-pc-linux-gnu:

|-TypedefDecl 0x1d07d08 <<invalid sloc>> <invalid sloc> implicit referenced __builtin_va_list 'struct __va_list_tag [1]'
| `-ConstantArrayType 0x1d07cb0 'struct __va_list_tag [1]' 1 
|   `-RecordType 0x1d07b20 'struct __va_list_tag'
|     `-Record 0x1d07a90 '__va_list_tag'

Generated on hexagon-unknown-linux:

-TypedefDecl 0x6c47e0 <<invalid sloc>> <invalid sloc> implicit referenced __builtin_va_list 'char *'
| `-PointerType 0x6c47a0 'char *'
|   `-BuiltinType 0x6c4020 'char'

This patch also manages to fix one of the FIXMEs in the tests.

Note that, some tests are only there for x86_64-pc-linux-gnu. The reason is that, the analyzer manages to notice the uninitializedness of va_list on hexagon-unknown-linux, so it generates a sink node before this check could be triggered. Also this patch moves this check out of alpha stage.

Diff Detail

Repository
rL LLVM

Event Timeline

xazax.hun created this revision.Feb 19 2017, 10:54 AM
xazax.hun edited the summary of this revision. (Show Details)Feb 19 2017, 11:02 AM
NoQ added inline comments.Feb 20 2017, 5:46 AM
lib/StaticAnalyzer/Checkers/ValistChecker.cpp
178 ↗(On Diff #89070)

I suspect that UnknownVal should also be handled before that, otherwise we'd have null dereference on the next line.

test/Analysis/valist-uninitialized-no-undef.c
5 ↗(On Diff #89070)

Hmm, where's the previous one?

19 ↗(On Diff #89070)

As the patch tries to handle symbolic va_list regions, i wonder what's so particularly hard about this false positive (apart from its being obviously rare, by the way did you actually see such code?).

xazax.hun updated this revision to Diff 89185.Feb 21 2017, 3:59 AM
  • Address some review comments.
  • Add some additional tests.
  • Fixed some false positives (checking for symbolic values for va_copy and more robust detection of which valist model is used by the platform)
  • I have run the checker on https://github.com/rathena/rathena, there were no false positives or crashes using the current state. It is a 170KLOC C project.
xazax.hun marked 3 inline comments as done.Feb 21 2017, 4:00 AM
xazax.hun added inline comments.
lib/StaticAnalyzer/Checkers/ValistChecker.cpp
178 ↗(On Diff #89070)

Indeed.

test/Analysis/valist-uninitialized-no-undef.c
5 ↗(On Diff #89070)

Tha calling function is after this one.

19 ↗(On Diff #89070)

What is strange, this case does work with the hexagon AST variant.

xazax.hun updated this revision to Diff 89187.Feb 21 2017, 4:02 AM
xazax.hun marked 3 inline comments as done.
  • Fixed a comment.
xazax.hun added inline comments.Feb 21 2017, 5:49 AM
test/Analysis/valist-uninitialized-no-undef.c
19 ↗(On Diff #89070)

Also, I did not see such code inproduction yet

danielmarjamaki added a subscriber: danielmarjamaki.Feb 24 2017, 3:26 AM
danielmarjamaki added inline comments.
lib/StaticAnalyzer/Checkers/ValistChecker.cpp
189 ↗(On Diff #89187)

I would personally recommend parentheses around EReg and VaListModelledAsArray to highlight the precedence.

xazax.hun updated this revision to Diff 89780.Feb 25 2017, 2:10 AM
  • Minor style improvement.
xazax.hun marked an inline comment as done.Feb 25 2017, 2:11 AM
xazax.hun updated this revision to Diff 89857.Feb 27 2017, 3:12 AM
xazax.hun edited the summary of this revision. (Show Details)
  • Move the check out of alpha.
danielmarjamaki added a comment.Mar 1 2017, 1:48 AM

I am running this checker right now on various projects. Here are currently seen results.. https://drive.google.com/open?id=0BykPmWrCOxt2STZMOXZ5OGlwM3c

Feel free to look at it and see if there are FPs or TPs.

zaks.anna added inline comments.Mar 1 2017, 1:36 PM
test/Analysis/valist-uninitialized-no-undef.c
25 ↗(On Diff #89857)

Please, split the long "expected" lines into multiple lines - one per note. It will improve readability in non-wrapping editors. Thanks!

xazax.hun updated this revision to Diff 90676.Mar 6 2017, 4:25 AM
xazax.hun marked an inline comment as done.
  • Improve the readability of test files.
  • Rebased on latest ToT.
xazax.hun added a comment.Mar 6 2017, 4:29 AM
In D30157#689374, @danielmarjamaki wrote:

I am running this checker right now on various projects. Here are currently seen results.. https://drive.google.com/open?id=0BykPmWrCOxt2STZMOXZ5OGlwM3c

Feel free to look at it and see if there are FPs or TPs.

Thank you for running this check on those projects! I did not do a deep review of the findings but some of the results I checked are true positives. Also, the number of results are not scary, none of the projects generated tons of results.

NoQ accepted this revision.Mar 7 2017, 7:28 AM

It's great to see things move out of alpha and finally become actually accessible to the majority of users. Thanks!

This revision is now accepted and ready to land.Mar 7 2017, 7:28 AM
Closed by commit rL297153: [analyzer] Improve valist checks and move it out from alpha state. (authored by xazax). · Explain WhyMar 7 2017, 8:16 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Checkers/
5 lines
lib/
StaticAnalyzer/
Checkers/
89 lines
test/
Analysis/
40 lines
96 lines
72 lines

Diff 90855

cfe/trunk/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show All 39 Lines
def Nullability : Package<"nullability">; def Nullability : Package<"nullability">;
def Cplusplus : Package<"cplusplus">; def Cplusplus : Package<"cplusplus">;
def CplusplusAlpha : Package<"cplusplus">, InPackage<Alpha>, Hidden; def CplusplusAlpha : Package<"cplusplus">, InPackage<Alpha>, Hidden;
def CplusplusOptIn : Package<"cplusplus">, InPackage<OptIn>; def CplusplusOptIn : Package<"cplusplus">, InPackage<OptIn>;
def Valist : Package<"valist">; def Valist : Package<"valist">;
def ValistAlpha : Package<"valist">, InPackage<Alpha>, Hidden;
def DeadCode : Package<"deadcode">; def DeadCode : Package<"deadcode">;
def DeadCodeAlpha : Package<"deadcode">, InPackage<Alpha>, Hidden; def DeadCodeAlpha : Package<"deadcode">, InPackage<Alpha>, Hidden;
def Performance : Package<"performance">, InPackage<OptIn>; def Performance : Package<"performance">, InPackage<OptIn>;
def Security : Package <"security">; def Security : Package <"security">;
def InsecureAPI : Package<"insecureAPI">, InPackage<Security>; def InsecureAPI : Package<"insecureAPI">, InPackage<Security>;
▲ Show 20 LinesShow All 229 Lines▼ Show 20 Lines
} // end: "alpha.cplusplus" } // end: "alpha.cplusplus"
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Valist checkers. // Valist checkers.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
let ParentPackage = ValistAlpha in { let ParentPackage = Valist in {
def UninitializedChecker : Checker<"Uninitialized">, def UninitializedChecker : Checker<"Uninitialized">,
HelpText<"Check for usages of uninitialized (or already released) va_lists.">, HelpText<"Check for usages of uninitialized (or already released) va_lists.">,
DescFile<"ValistChecker.cpp">; DescFile<"ValistChecker.cpp">;
def UnterminatedChecker : Checker<"Unterminated">, def UnterminatedChecker : Checker<"Unterminated">,
HelpText<"Check for va_lists which are not released by a va_end call.">, HelpText<"Check for va_lists which are not released by a va_end call.">,
DescFile<"ValistChecker.cpp">; DescFile<"ValistChecker.cpp">;
def CopyToSelfChecker : Checker<"CopyToSelf">, def CopyToSelfChecker : Checker<"CopyToSelf">,
HelpText<"Check for va_lists which are copied onto itself.">, HelpText<"Check for va_lists which are copied onto itself.">,
DescFile<"ValistChecker.cpp">; DescFile<"ValistChecker.cpp">;
} // end : "alpha.valist" } // end : "valist"
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Deadcode checkers. // Deadcode checkers.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
let ParentPackage = DeadCode in { let ParentPackage = DeadCode in {
def DeadStoresChecker : Checker<"DeadStores">, def DeadStoresChecker : Checker<"DeadStores">,
▲ Show 20 LinesShow All 436 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ValistChecker.cpp

Show First 20 LinesShow All 48 Lines▼ Show 20 Linespublic:
DefaultBool ChecksEnabled[CK_NumCheckKinds]; DefaultBool ChecksEnabled[CK_NumCheckKinds];
CheckName CheckNames[CK_NumCheckKinds]; CheckName CheckNames[CK_NumCheckKinds];
void checkPreStmt(const VAArgExpr *VAA, CheckerContext &C) const; void checkPreStmt(const VAArgExpr *VAA, CheckerContext &C) const;
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
private: private:
const MemRegion *getVAListAsRegion(SVal SV, CheckerContext &C) const; const MemRegion *getVAListAsRegion(SVal SV, const Expr *VAExpr,
bool &IsSymbolic, CheckerContext &C) const;
StringRef getVariableNameFromRegion(const MemRegion *Reg) const; StringRef getVariableNameFromRegion(const MemRegion *Reg) const;
const ExplodedNode *getStartCallSite(const ExplodedNode *N, const ExplodedNode *getStartCallSite(const ExplodedNode *N,
const MemRegion *Reg, const MemRegion *Reg) const;
CheckerContext &C) const;
void reportUninitializedAccess(const MemRegion *VAList, StringRef Msg, void reportUninitializedAccess(const MemRegion *VAList, StringRef Msg,
CheckerContext &C) const; CheckerContext &C) const;
void reportLeakedVALists(const RegionVector &LeakedVALists, StringRef Msg1, void reportLeakedVALists(const RegionVector &LeakedVALists, StringRef Msg1,
StringRef Msg2, CheckerContext &C, ExplodedNode *N, StringRef Msg2, CheckerContext &C, ExplodedNode *N,
bool ForceReport = false) const; bool ForceReport = false) const;
void checkVAListStartCall(const CallEvent &Call, CheckerContext &C, void checkVAListStartCall(const CallEvent &Call, CheckerContext &C,
▲ Show 20 LinesShow All 63 Lines▼ Show 20 Linesvoid ValistChecker::checkPreCall(const CallEvent &Call,
else if (Call.isCalled(VaCopy)) else if (Call.isCalled(VaCopy))
checkVAListStartCall(Call, C, true); checkVAListStartCall(Call, C, true);
else if (Call.isCalled(VaEnd)) else if (Call.isCalled(VaEnd))
checkVAListEndCall(Call, C); checkVAListEndCall(Call, C);
else { else {
for (auto FuncInfo : VAListAccepters) { for (auto FuncInfo : VAListAccepters) {
if (!Call.isCalled(FuncInfo.Func)) if (!Call.isCalled(FuncInfo.Func))
continue; continue;
bool Symbolic;
const MemRegion *VAList = const MemRegion *VAList =
getVAListAsRegion(Call.getArgSVal(FuncInfo.VAListPos), C); getVAListAsRegion(Call.getArgSVal(FuncInfo.VAListPos),
Call.getArgExpr(FuncInfo.VAListPos), Symbolic, C);
if (!VAList) if (!VAList)
return; return;
if (C.getState()->contains<InitializedVALists>(VAList)) if (C.getState()->contains<InitializedVALists>(VAList))
return; return;
// We did not see va_start call, but the source of the region is unknown.
// Be conservative and assume the best.
if (Symbolic)
return;
SmallString<80> Errmsg("Function '"); SmallString<80> Errmsg("Function '");
Errmsg += FuncInfo.Func.getFunctionName(); Errmsg += FuncInfo.Func.getFunctionName();
Errmsg += "' is called with an uninitialized va_list argument"; Errmsg += "' is called with an uninitialized va_list argument";
reportUninitializedAccess(VAList, Errmsg.c_str(), C); reportUninitializedAccess(VAList, Errmsg.c_str(), C);
break; break;
} }
} }
} }
const MemRegion *ValistChecker::getVAListAsRegion(SVal SV, const Expr *E,
bool &IsSymbolic,
CheckerContext &C) const {
// FIXME: on some platforms CallAndMessage checker finds some instances of
// the uninitialized va_list usages. CallAndMessage checker is disabled in
// the tests so they can verify platform independently those issues. As a
// side effect, this check is required here.
if (SV.isUnknownOrUndef())
return nullptr;
// TODO: In the future this should be abstracted away by the analyzer.
bool VaListModelledAsArray = false;
if (const auto *Cast = dyn_cast<CastExpr>(E)) {
QualType Ty = Cast->getType();
VaListModelledAsArray =
Ty->isPointerType() && Ty->getPointeeType()->isRecordType();
}
const MemRegion *Reg = SV.getAsRegion();
if (const auto *DeclReg = Reg->getAs<DeclRegion>()) {
if (isa<ParmVarDecl>(DeclReg->getDecl()))
Reg = C.getState()->getSVal(SV.castAs<Loc>()).getAsRegion();
}
IsSymbolic = Reg && Reg->getAs<SymbolicRegion>();
// Some VarRegion based VA lists reach here as ElementRegions.
const auto *EReg = dyn_cast_or_null<ElementRegion>(Reg);
return (EReg && VaListModelledAsArray) ? EReg->getSuperRegion() : Reg;
}
void ValistChecker::checkPreStmt(const VAArgExpr *VAA, void ValistChecker::checkPreStmt(const VAArgExpr *VAA,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal VAListSVal = State->getSVal(VAA->getSubExpr(), C.getLocationContext()); const Expr *VASubExpr = VAA->getSubExpr();
const MemRegion *VAList = getVAListAsRegion(VAListSVal, C); SVal VAListSVal = State->getSVal(VASubExpr, C.getLocationContext());
bool Symbolic;
const MemRegion *VAList =
getVAListAsRegion(VAListSVal, VASubExpr, Symbolic, C);
if (!VAList) if (!VAList)
return; return;
if (Symbolic)
return;
if (!State->contains<InitializedVALists>(VAList)) if (!State->contains<InitializedVALists>(VAList))
reportUninitializedAccess( reportUninitializedAccess(
VAList, "va_arg() is called on an uninitialized va_list", C); VAList, "va_arg() is called on an uninitialized va_list", C);
} }
void ValistChecker::checkDeadSymbols(SymbolReaper &SR, void ValistChecker::checkDeadSymbols(SymbolReaper &SR,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
InitializedVAListsTy TrackedVALists = State->get<InitializedVALists>(); InitializedVAListsTy TrackedVALists = State->get<InitializedVALists>();
RegionVector LeakedVALists; RegionVector LeakedVALists;
for (auto Reg : TrackedVALists) { for (auto Reg : TrackedVALists) {
if (SR.isLiveRegion(Reg)) if (SR.isLiveRegion(Reg))
continue; continue;
LeakedVALists.push_back(Reg); LeakedVALists.push_back(Reg);
State = State->remove<InitializedVALists>(Reg); State = State->remove<InitializedVALists>(Reg);
} }
if (ExplodedNode *N = C.addTransition(State)) if (ExplodedNode *N = C.addTransition(State))
reportLeakedVALists(LeakedVALists, "Initialized va_list", " is leaked", C, reportLeakedVALists(LeakedVALists, "Initialized va_list", " is leaked", C,
N); N);
} }
const MemRegion *ValistChecker::getVAListAsRegion(SVal SV,
CheckerContext &C) const {
const MemRegion *Reg = SV.getAsRegion();
const auto *TReg = dyn_cast_or_null<TypedValueRegion>(Reg);
// Some VarRegion based VLAs reach here as ElementRegions.
const auto *EReg = dyn_cast_or_null<ElementRegion>(TReg);
return EReg ? EReg->getSuperRegion() : TReg;
}
// This function traverses the exploded graph backwards and finds the node where // This function traverses the exploded graph backwards and finds the node where
// the va_list is initialized. That node is used for uniquing the bug paths. // the va_list is initialized. That node is used for uniquing the bug paths.
// It is not likely that there are several different va_lists that belongs to // It is not likely that there are several different va_lists that belongs to
// different stack frames, so that case is not yet handled. // different stack frames, so that case is not yet handled.
const ExplodedNode *ValistChecker::getStartCallSite(const ExplodedNode *N, const ExplodedNode *
const MemRegion *Reg, ValistChecker::getStartCallSite(const ExplodedNode *N,
CheckerContext &C) const { const MemRegion *Reg) const {
const LocationContext *LeakContext = N->getLocationContext(); const LocationContext *LeakContext = N->getLocationContext();
const ExplodedNode *StartCallNode = N; const ExplodedNode *StartCallNode = N;
bool FoundInitializedState = false; bool FoundInitializedState = false;
while (N) { while (N) {
ProgramStateRef State = N->getState(); ProgramStateRef State = N->getState();
if (!State->contains<InitializedVALists>(Reg)) { if (!State->contains<InitializedVALists>(Reg)) {
Show All 37 Lines if (!(ChecksEnabled[CK_Unterminated] ||
return; return;
for (auto Reg : LeakedVALists) { for (auto Reg : LeakedVALists) {
if (!BT_leakedvalist) { if (!BT_leakedvalist) {
BT_leakedvalist.reset(new BugType(CheckNames[CK_Unterminated], BT_leakedvalist.reset(new BugType(CheckNames[CK_Unterminated],
"Leaked va_list", "Memory Error")); "Leaked va_list", "Memory Error"));
BT_leakedvalist->setSuppressOnSink(true); BT_leakedvalist->setSuppressOnSink(true);
} }
const ExplodedNode *StartNode = getStartCallSite(N, Reg, C); const ExplodedNode *StartNode = getStartCallSite(N, Reg);
PathDiagnosticLocation LocUsedForUniqueing; PathDiagnosticLocation LocUsedForUniqueing;
if (const Stmt *StartCallStmt = PathDiagnosticLocation::getStmt(StartNode)) if (const Stmt *StartCallStmt = PathDiagnosticLocation::getStmt(StartNode))
LocUsedForUniqueing = PathDiagnosticLocation::createBegin( LocUsedForUniqueing = PathDiagnosticLocation::createBegin(
StartCallStmt, C.getSourceManager(), StartNode->getLocationContext()); StartCallStmt, C.getSourceManager(), StartNode->getLocationContext());
SmallString<100> Buf; SmallString<100> Buf;
llvm::raw_svector_ostream OS(Buf); llvm::raw_svector_ostream OS(Buf);
Show All 9 Lines for (auto Reg : LeakedVALists) {
R->markInteresting(Reg); R->markInteresting(Reg);
R->addVisitor(llvm::make_unique<ValistBugVisitor>(Reg, true)); R->addVisitor(llvm::make_unique<ValistBugVisitor>(Reg, true));
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void ValistChecker::checkVAListStartCall(const CallEvent &Call, void ValistChecker::checkVAListStartCall(const CallEvent &Call,
CheckerContext &C, bool IsCopy) const { CheckerContext &C, bool IsCopy) const {
const MemRegion *VAList = getVAListAsRegion(Call.getArgSVal(0), C); bool Symbolic;
ProgramStateRef State = C.getState(); const MemRegion *VAList =
getVAListAsRegion(Call.getArgSVal(0), Call.getArgExpr(0), Symbolic, C);
if (!VAList) if (!VAList)
return; return;
ProgramStateRef State = C.getState();
if (IsCopy) { if (IsCopy) {
const MemRegion *Arg2 = getVAListAsRegion(Call.getArgSVal(1), C); const MemRegion *Arg2 =
getVAListAsRegion(Call.getArgSVal(1), Call.getArgExpr(1), Symbolic, C);
if (Arg2) { if (Arg2) {
if (ChecksEnabled[CK_CopyToSelf] && VAList == Arg2) { if (ChecksEnabled[CK_CopyToSelf] && VAList == Arg2) {
RegionVector LeakedVALists{VAList}; RegionVector LeakedVALists{VAList};
if (ExplodedNode *N = C.addTransition(State)) if (ExplodedNode *N = C.addTransition(State))
reportLeakedVALists(LeakedVALists, "va_list", reportLeakedVALists(LeakedVALists, "va_list",
" is copied onto itself", C, N, true); " is copied onto itself", C, N, true);
return; return;
} else if (!State->contains<InitializedVALists>(Arg2)) { } else if (!State->contains<InitializedVALists>(Arg2) && !Symbolic) {
if (State->contains<InitializedVALists>(VAList)) { if (State->contains<InitializedVALists>(VAList)) {
State = State->remove<InitializedVALists>(VAList); State = State->remove<InitializedVALists>(VAList);
RegionVector LeakedVALists{VAList}; RegionVector LeakedVALists{VAList};
if (ExplodedNode *N = C.addTransition(State)) if (ExplodedNode *N = C.addTransition(State))
reportLeakedVALists(LeakedVALists, "Initialized va_list", reportLeakedVALists(LeakedVALists, "Initialized va_list",
" is overwritten by an uninitialized one", C, N, " is overwritten by an uninitialized one", C, N,
true); true);
} else { } else {
Show All 12 Linesvoid ValistChecker::checkVAListStartCall(const CallEvent &Call,
} }
State = State->add<InitializedVALists>(VAList); State = State->add<InitializedVALists>(VAList);
C.addTransition(State); C.addTransition(State);
} }
void ValistChecker::checkVAListEndCall(const CallEvent &Call, void ValistChecker::checkVAListEndCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const MemRegion *VAList = getVAListAsRegion(Call.getArgSVal(0), C); bool Symbolic;
const MemRegion *VAList =
getVAListAsRegion(Call.getArgSVal(0), Call.getArgExpr(0), Symbolic, C);
if (!VAList) if (!VAList)
return; return;
// We did not see va_start call, but the source of the region is unknown.
// Be conservative and assume the best.
if (Symbolic)
return;
if (!C.getState()->contains<InitializedVALists>(VAList)) { if (!C.getState()->contains<InitializedVALists>(VAList)) {
reportUninitializedAccess( reportUninitializedAccess(
VAList, "va_end() is called on an uninitialized va_list", C); VAList, "va_end() is called on an uninitialized va_list", C);
return; return;
} }
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
State = State->remove<InitializedVALists>(VAList); State = State->remove<InitializedVALists>(VAList);
C.addTransition(State); C.addTransition(State);
Show All 38 Lines

cfe/trunk/test/Analysis/valist-uninitialized-no-undef.c

// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -analyze -analyzer-checker=core,valist.Uninitialized,valist.CopyToSelf -analyzer-output=text -analyzer-store=region -verify %s
#include "Inputs/system-header-simulator-for-valist.h"
// This is called in call_inlined_uses_arg(),
// and the warning is generated during the analysis of call_inlined_uses_arg().
void inlined_uses_arg(va_list arg) {
(void)va_arg(arg, int); // expected-warning{{va_arg() is called on an uninitialized va_list}}
// expected-note@-1{{va_arg() is called on an uninitialized va_list}}
}
void call_inlined_uses_arg(int fst, ...) {
va_list va;
inlined_uses_arg(va); // expected-note{{Calling 'inlined_uses_arg'}}
}
void f6(va_list *fst, ...) {
va_start(*fst, fst);
// FIXME: There should be no warning for this.
(void)va_arg(*fst, int); // expected-warning{{va_arg() is called on an uninitialized va_list}}
// expected-note@-1{{va_arg() is called on an uninitialized va_list}}
va_end(*fst);
}
void call_vprintf_bad(int isstring, ...) {
va_list va;
vprintf(isstring ? "%s" : "%d", va); // expected-warning{{Function 'vprintf' is called with an uninitialized va_list argument}}
// expected-note@-1{{Function 'vprintf' is called with an uninitialized va_list argument}}
// expected-note@-2{{Assuming 'isstring' is 0}}
// expected-note@-3{{'?' condition is false}}
}
void call_vsprintf_bad(char *buffer, ...) {
va_list va;
va_start(va, buffer); // expected-note{{Initialized va_list}}
va_end(va); // expected-note{{Ended va_list}}
vsprintf(buffer, "%s %d %d %lf %03d", va); // expected-warning{{Function 'vsprintf' is called with an uninitialized va_list argument}}
// expected-note@-1{{Function 'vsprintf' is called with an uninitialized va_list argument}}
}

cfe/trunk/test/Analysis/valist-uninitialized.c

// RUN: %clang_analyze_cc1 -triple x86_64-pc-linux-gnu -analyzer-checker=core,alpha.valist.Uninitialized,alpha.valist.CopyToSelf -analyzer-output=text -analyzer-store=region -verify %s // RUN: %clang_analyze_cc1 -triple hexagon-unknown-linux -analyzer-checker=core,valist.Uninitialized,valist.CopyToSelf -analyzer-disable-checker=core.CallAndMessage -analyzer-output=text -analyzer-store=region -verify %s
// RUN: %clang_analyze_cc1 -triple x86_64-pc-linux-gnu -analyzer-checker=core,valist.Uninitialized,valist.CopyToSelf -analyzer-disable-checker=core.CallAndMessage -analyzer-output=text -analyzer-store=region -verify %s
#include "Inputs/system-header-simulator-for-valist.h" #include "Inputs/system-header-simulator-for-valist.h"
void f1(int fst, ...) { void f1(int fst, ...) {
va_list va; va_list va;
(void)va_arg(va, int); //expected-warning{{va_arg() is called on an uninitialized va_list}} expected-note{{va_arg() is called on an uninitialized va_list}} (void)va_arg(va, int); // expected-warning{{va_arg() is called on an uninitialized va_list}}
// expected-note@-1{{va_arg() is called on an uninitialized va_list}}
} }
int f2(int fst, ...) { int f2(int fst, ...) {
va_list va; va_list va;
va_start(va, fst); // expected-note{{Initialized va_list}} va_start(va, fst); // expected-note{{Initialized va_list}}
va_end(va); // expected-note{{Ended va_list}} va_end(va); // expected-note{{Ended va_list}}
return va_arg(va, int); //expected-warning{{va_arg() is called on an uninitialized va_list}} expected-note{{va_arg() is called on an uninitialized va_list}} return va_arg(va, int); // expected-warning{{va_arg() is called on an uninitialized va_list}}
// expected-note@-1{{va_arg() is called on an uninitialized va_list}}
} }
void f3(int fst, ...) { void f3(int fst, ...) {
va_list va, va2; va_list va, va2;
va_start(va, fst); va_start(va, fst);
va_copy(va2, va); va_copy(va2, va);
va_end(va); va_end(va);
(void)va_arg(va2, int); (void)va_arg(va2, int);
va_end(va2); va_end(va2);
} //no-warning } //no-warning
void f4(int cond, ...) { void f4(int cond, ...) {
va_list va; va_list va;
if (cond) { // expected-note{{Assuming 'cond' is 0}} expected-note{{Taking false branch}} if (cond) { // expected-note{{Assuming 'cond' is 0}}
// expected-note@-1{{Taking false branch}}
va_start(va, cond); va_start(va, cond);
(void)va_arg(va,int); (void)va_arg(va,int);
} }
va_end(va); //expected-warning{{va_end() is called on an uninitialized va_list}} expected-note{{va_end() is called on an uninitialized va_list}} va_end(va); //expected-warning{{va_end() is called on an uninitialized va_list}}
// expected-note@-1{{va_end() is called on an uninitialized va_list}}
} }
void f5(va_list fst, ...) { void f5(va_list fst, ...) {
va_start(fst, fst); va_start(fst, fst);
(void)va_arg(fst, int); (void)va_arg(fst, int);
va_end(fst); va_end(fst);
} // no-warning } // no-warning
//FIXME: this should not cause a warning
void f6(va_list *fst, ...) {
va_start(*fst, fst);
(void)va_arg(*fst, int); //expected-warning{{va_arg() is called on an uninitialized va_list}} expected-note{{va_arg() is called on an uninitialized va_list}}
va_end(*fst);
}
void f7(int *fst, ...) { void f7(int *fst, ...) {
va_list x; va_list x;
va_list *y = &x; va_list *y = &x;
va_start(*y,fst); va_start(*y,fst);
(void)va_arg(x, int); (void)va_arg(x, int);
va_end(x); va_end(x);
} // no-warning } // no-warning
void f8(int *fst, ...) { void f8(int *fst, ...) {
va_list x; va_list x;
va_list *y = &x; va_list *y = &x;
va_start(*y,fst); // expected-note{{Initialized va_list}} va_start(*y,fst); // expected-note{{Initialized va_list}}
va_end(x); // expected-note{{Ended va_list}} va_end(x); // expected-note{{Ended va_list}}
(void)va_arg(*y, int); //expected-warning{{va_arg() is called on an uninitialized va_list}} expected-note{{va_arg() is called on an uninitialized va_list}} (void)va_arg(*y, int); //expected-warning{{va_arg() is called on an uninitialized va_list}}
} // no-warning // expected-note@-1{{va_arg() is called on an uninitialized va_list}}
}
// This only contains problems which are handled by varargs.Unterminated. // This only contains problems which are handled by varargs.Unterminated.
void reinit(int *fst, ...) { void reinit(int *fst, ...) {
va_list va; va_list va;
va_start(va, fst); va_start(va, fst);
va_start(va, fst); va_start(va, fst);
(void)va_arg(va, int); (void)va_arg(va, int);
} // no-warning } // no-warning
Show All 11 Lines
void reinit3(int *fst, ...) { void reinit3(int *fst, ...) {
va_list va; va_list va;
va_start(va, fst); // expected-note{{Initialized va_list}} va_start(va, fst); // expected-note{{Initialized va_list}}
(void)va_arg(va, int); (void)va_arg(va, int);
va_end(va); // expected-note{{Ended va_list}} va_end(va); // expected-note{{Ended va_list}}
va_start(va, fst); // expected-note{{Initialized va_list}} va_start(va, fst); // expected-note{{Initialized va_list}}
(void)va_arg(va, int); (void)va_arg(va, int);
va_end(va); // expected-note{{Ended va_list}} va_end(va); // expected-note{{Ended va_list}}
(void)va_arg(va, int); //expected-warning{{va_arg() is called on an uninitialized va_list}} expected-note{{va_arg() is called on an uninitialized va_list}} (void)va_arg(va, int); //expected-warning{{va_arg() is called on an uninitialized va_list}}
// expected-note@-1{{va_arg() is called on an uninitialized va_list}}
} }
void copyself(int fst, ...) { void copyself(int fst, ...) {
va_list va; va_list va;
va_start(va, fst); // expected-note{{Initialized va_list}} va_start(va, fst); // expected-note{{Initialized va_list}}
va_copy(va, va); // expected-warning{{va_list 'va' is copied onto itself}} expected-note{{va_list 'va' is copied onto itself}} va_copy(va, va); // expected-warning{{va_list 'va' is copied onto itself}}
// expected-note@-1{{va_list 'va' is copied onto itself}}
va_end(va); va_end(va);
} // no-warning }
void copyselfUninit(int fst, ...) { void copyselfUninit(int fst, ...) {
va_list va; va_list va;
va_copy(va, va); // expected-warning{{va_list 'va' is copied onto itself}} expected-note{{va_list 'va' is copied onto itself}} va_copy(va, va); // expected-warning{{va_list 'va' is copied onto itself}}
} // no-warning // expected-note@-1{{va_list 'va' is copied onto itself}}
}
void copyOverwrite(int fst, ...) { void copyOverwrite(int fst, ...) {
va_list va, va2; va_list va, va2;
va_start(va, fst); // expected-note{{Initialized va_list}} va_start(va, fst); // expected-note{{Initialized va_list}}
va_copy(va, va2); // expected-warning{{Initialized va_list 'va' is overwritten by an uninitialized one}} expected-note{{Initialized va_list 'va' is overwritten by an uninitialized one}} va_copy(va, va2); // expected-warning{{Initialized va_list 'va' is overwritten by an uninitialized one}}
} // no-warning // expected-note@-1{{Initialized va_list 'va' is overwritten by an uninitialized one}}
}
void copyUnint(int fst, ...) { void copyUnint(int fst, ...) {
va_list va, va2; va_list va, va2;
va_copy(va, va2); // expected-warning{{Uninitialized va_list is copied}} expected-note{{Uninitialized va_list is copied}} va_copy(va, va2); // expected-warning{{Uninitialized va_list is copied}}
// expected-note@-1{{Uninitialized va_list is copied}}
} }
void g1(int fst, ...) { void g1(int fst, ...) {
va_list va; va_list va;
va_end(va); // expected-warning{{va_end() is called on an uninitialized va_list}} expected-note{{va_end() is called on an uninitialized va_list}} va_end(va); // expected-warning{{va_end() is called on an uninitialized va_list}}
// expected-note@-1{{va_end() is called on an uninitialized va_list}}
} }
void g2(int fst, ...) { void g2(int fst, ...) {
va_list va; va_list va;
va_start(va, fst); // expected-note{{Initialized va_list}} va_start(va, fst); // expected-note{{Initialized va_list}}
va_end(va); // expected-note{{Ended va_list}} va_end(va); // expected-note{{Ended va_list}}
va_end(va); // expected-warning{{va_end() is called on an uninitialized va_list}} expected-note{{va_end() is called on an uninitialized va_list}} va_end(va); // expected-warning{{va_end() is called on an uninitialized va_list}}
// expected-note@-1{{va_end() is called on an uninitialized va_list}}
} }
void is_sink(int fst, ...) { void is_sink(int fst, ...) {
va_list va; va_list va;
va_end(va); // expected-warning{{va_end() is called on an uninitialized va_list}} expected-note{{va_end() is called on an uninitialized va_list}} va_end(va); // expected-warning{{va_end() is called on an uninitialized va_list}}
*((volatile int *)0) = 1; //no-warning // expected-note@-1{{va_end() is called on an uninitialized va_list}}
*((volatile int *)0) = 1;
} }
// NOTE: this is invalid, as the man page of va_end requires that "Each invocation of va_start() // NOTE: this is invalid, as the man page of va_end requires that "Each invocation of va_start()
// must be matched by a corresponding invocation of va_end() in the same function." // must be matched by a corresponding invocation of va_end() in the same function."
void ends_arg(va_list arg) { void ends_arg(va_list arg) {
va_end(arg); va_end(arg);
} //no-warning } //no-warning
void uses_arg(va_list arg) { void uses_arg(va_list arg) {
(void)va_arg(arg, int); (void)va_arg(arg, int);
} //no-warning } //no-warning
// This is the same function as the previous one, but it is called in call_uses_arg2(),
// and the warning is generated during the analysis of call_uses_arg2().
void inlined_uses_arg(va_list arg) {
(void)va_arg(arg, int); //expected-warning{{va_arg() is called on an uninitialized va_list}} expected-note{{va_arg() is called on an uninitialized va_list}}
}
void call_inlined_uses_arg(int fst, ...) {
va_list va;
inlined_uses_arg(va); // expected-note{{Calling 'inlined_uses_arg'}}
}
void call_vprintf_ok(int isstring, ...) { void call_vprintf_ok(int isstring, ...) {
va_list va; va_list va;
va_start(va, isstring); va_start(va, isstring);
vprintf(isstring ? "%s" : "%d", va); vprintf(isstring ? "%s" : "%d", va);
va_end(va); va_end(va);
} //no-warning } //no-warning
void call_vprintf_bad(int isstring, ...) { void call_some_other_func(int n, ...) {
va_list va; va_list va;
vprintf(isstring ? "%s" : "%d", va); //expected-warning{{Function 'vprintf' is called with an uninitialized va_list argument}} expected-note{{Function 'vprintf' is called with an uninitialized va_list argument}} expected-note{{Assuming 'isstring' is 0}} expected-note{{'?' condition is false}} some_library_function(n, va);
} } //no-warning
void call_vsprintf_bad(char *buffer, ...) { void inlined_uses_arg_good(va_list arg) {
va_list va; (void)va_arg(arg, int);
va_start(va, buffer); // expected-note{{Initialized va_list}}
va_end(va); // expected-note{{Ended va_list}}
vsprintf(buffer, "%s %d %d %lf %03d", va); //expected-warning{{Function 'vsprintf' is called with an uninitialized va_list argument}} expected-note{{Function 'vsprintf' is called with an uninitialized va_list argument}}
} }
void call_some_other_func(int n, ...) { void call_inlined_uses_arg_good(int fst, ...) {
va_list va; va_list va;
some_library_function(n, va); va_start(va, fst);
} //no-warning inlined_uses_arg_good(va);
va_end(va);
}
void va_copy_test(va_list arg) {
va_list dst;
va_copy(dst, arg);
va_end(dst);
}

cfe/trunk/test/Analysis/valist-unterminated.c

// RUN: %clang_analyze_cc1 -triple x86_64-pc-linux-gnu -analyzer-checker=core,alpha.valist.Unterminated,alpha.valist.CopyToSelf -analyzer-output=text -analyzer-store=region -verify %s // RUN: %clang_analyze_cc1 -triple hexagon-unknown-linux -analyzer-checker=core,valist.Unterminated,valist.CopyToSelf -analyzer-output=text -analyzer-store=region -verify %s
// RUN: %clang_analyze_cc1 -triple x86_64-pc-linux-gnu -analyzer-checker=core,valist.Unterminated,valist.CopyToSelf -analyzer-output=text -analyzer-store=region -verify %s
#include "Inputs/system-header-simulator-for-valist.h" #include "Inputs/system-header-simulator-for-valist.h"
void f1(int fst, ...) { void f1(int fst, ...) {
va_list va; va_list va;
va_start(va, fst); // expected-note{{Initialized va_list}} va_start(va, fst); // expected-note{{Initialized va_list}}
return; // expected-warning{{Initialized va_list 'va' is leaked}} expected-note{{Initialized va_list 'va' is leaked}} return; // expected-warning{{Initialized va_list 'va' is leaked}}
// expected-note@-1{{Initialized va_list 'va' is leaked}}
} }
void f2(int fst, ...) { void f2(int fst, ...) {
va_list va; va_list va;
va_start(va, fst); // expected-note{{Initialized va_list}} va_start(va, fst); // expected-note{{Initialized va_list}}
va_end(va); // expected-note{{Ended va_list}} va_end(va); // expected-note{{Ended va_list}}
va_start(va, fst); // expected-note{{Initialized va_list}} va_start(va, fst); // expected-note{{Initialized va_list}}
} // expected-warning{{Initialized va_list 'va' is leaked}} expected-note{{Initialized va_list 'va' is leaked}}} } // expected-warning{{Initialized va_list 'va' is leaked}}
// expected-note@-1{{Initialized va_list 'va' is leaked}}
void f3(int fst, ...) { void f3(int fst, ...) {
va_list va, va2; va_list va, va2;
va_start(va, fst); va_start(va, fst);
va_copy(va2, va); // expected-note{{Initialized va_list}} va_copy(va2, va); // expected-note{{Initialized va_list}}
va_end(va); // expected-warning{{Initialized va_list 'va2' is leaked}} expected-note{{Initialized va_list 'va2' is leaked}} va_end(va); // expected-warning{{Initialized va_list 'va2' is leaked}}
// expected-note@-1{{Initialized va_list 'va2' is leaked}}
} }
void f4(va_list *fst, ...) { void f4(va_list *fst, ...) {
va_start(*fst, fst); // expected-note{{Initialized va_list}} va_start(*fst, fst); // expected-note{{Initialized va_list}}
return; // expected-warning{{Initialized va_list is leaked}} expected-note{{Initialized va_list is leaked}} return; // expected-warning{{Initialized va_list is leaked}}
// expected-note@-1{{Initialized va_list is leaked}}
} }
void f5(va_list fst, ...) { void f5(va_list fst, ...) {
va_start(fst, fst); va_start(fst, fst); // expected-note{{Initialized va_list}}
//FIXME: this should cause a warning } // expected-warning{{Initialized va_list}}
} // no-warning // expected-note@-1{{Initialized va_list}}
void f6(va_list *fst, ...) { void f6(va_list *fst, ...) {
va_start(*fst, fst); // expected-note{{Initialized va_list}} va_start(*fst, fst); // expected-note{{Initialized va_list}}
(void)va_arg(*fst, int); (void)va_arg(*fst, int);
//FIXME: this should NOT cause a warning //FIXME: this should NOT cause a warning
va_end(*fst); // expected-warning{{Initialized va_list is leaked}} expected-note{{Initialized va_list is leaked}} va_end(*fst); // expected-warning{{Initialized va_list is leaked}}
// expected-note@-1{{Initialized va_list is leaked}}
} }
void f7(int *fst, ...) { void f7(int *fst, ...) {
va_list x; va_list x;
va_list *y = &x; va_list *y = &x;
va_start(*y,fst); // expected-note{{Initialized va_list}} va_start(*y,fst); // expected-note{{Initialized va_list}}
} // expected-warning{{Initialized va_list 'x' is leaked}} expected-note{{Initialized va_list 'x' is leaked}} } // expected-warning{{Initialized va_list 'x' is leaked}}
// expected-note@-1{{Initialized va_list 'x' is leaked}}
void f8(int *fst, ...) { void f8(int *fst, ...) {
va_list x; va_list x;
va_list *y = &x; va_list *y = &x;
va_start(*y,fst); va_start(*y,fst);
va_end(x); va_end(x);
} // no-warning } // no-warning
void reinit(int *fst, ...) { void reinit(int *fst, ...) {
va_list va; va_list va;
va_start(va, fst); // expected-note{{Initialized va_list}} expected-note{{Initialized va_list}} va_start(va, fst); // expected-note{{Initialized va_list}}
va_start(va, fst); // expected-warning{{Initialized va_list 'va' is initialized again}} expected-note{{Initialized va_list 'va' is initialized again}} // expected-note@-1{{Initialized va_list}}
} // expected-warning{{Initialized va_list 'va' is leaked}} expected-note{{Initialized va_list 'va' is leaked}} va_start(va, fst); // expected-warning{{Initialized va_list 'va' is initialized again}}
// expected-note@-1{{Initialized va_list 'va' is initialized again}}
} // expected-warning{{Initialized va_list 'va' is leaked}}
// expected-note@-1{{Initialized va_list 'va' is leaked}}
void reinitOk(int *fst, ...) { void reinitOk(int *fst, ...) {
va_list va; va_list va;
va_start(va, fst); va_start(va, fst);
va_end(va); va_end(va);
va_start(va, fst); va_start(va, fst);
va_end(va); va_end(va);
} // no-warning } // no-warning
void copyself(int fst, ...) { void copyself(int fst, ...) {
va_list va; va_list va;
va_start(va, fst); // expected-note{{Initialized va_list}} va_start(va, fst); // expected-note{{Initialized va_list}}
va_copy(va, va); // expected-warning{{va_list 'va' is copied onto itself}} expected-note{{va_list 'va' is copied onto itself}} va_copy(va, va); // expected-warning{{va_list 'va' is copied onto itself}}
// expected-note@-1{{va_list 'va' is copied onto itself}}
va_end(va); va_end(va);
} // no-warning }
void copyselfUninit(int fst, ...) { void copyselfUninit(int fst, ...) {
va_list va; va_list va;
va_copy(va, va); // expected-warning{{va_list 'va' is copied onto itself}} expected-note{{va_list 'va' is copied onto itself}} va_copy(va, va); // expected-warning{{va_list 'va' is copied onto itself}}
} // no-warning // expected-note@-1{{va_list 'va' is copied onto itself}}
}
void copyOverwrite(int fst, ...) { void copyOverwrite(int fst, ...) {
va_list va, va2; va_list va, va2;
va_start(va, fst); // expected-note{{Initialized va_list}} va_start(va, fst); // expected-note{{Initialized va_list}}
va_copy(va, va2); // expected-warning{{Initialized va_list 'va' is overwritten by an uninitialized one}} expected-note{{Initialized va_list 'va' is overwritten by an uninitialized one}} va_copy(va, va2); // expected-warning{{Initialized va_list 'va' is overwritten by an uninitialized one}}
} // no-warning // expected-note@-1{{Initialized va_list 'va' is overwritten by an uninitialized one}}
}
//This only generates a warning for the valist.Uninitialized checker //This only generates a warning for the valist.Uninitialized checker
void copyUnint(int fst, ...) { void copyUnint(int fst, ...) {
va_list va, va2; va_list va, va2;
va_copy(va, va2); va_copy(va, va2);
} // no-warning } // no-warning
void recopy(int fst, ...) { void recopy(int fst, ...) {
va_list va, va2; va_list va, va2;
va_start(va, fst); va_start(va, fst);
va_copy(va2, va); // expected-note{{Initialized va_list}} va_copy(va2, va); // expected-note{{Initialized va_list}}
va_copy(va2, va); // expected-warning{{Initialized va_list 'va2' is initialized again}} expected-note{{Initialized va_list 'va2' is initialized again}} va_copy(va2, va); // expected-warning{{Initialized va_list 'va2' is initialized again}}
// expected-note@-1{{Initialized va_list 'va2' is initialized again}}
va_end(va); va_end(va);
va_end(va2); va_end(va2);
} //no-warning }
void doublemsg(int fst, ...) { void doublemsg(int fst, ...) {
va_list va, va2; va_list va, va2;
va_start(va, fst), va_start(va2, fst); // expected-warning{{Initialized va_list 'va' is leaked}} expected-warning{{Initialized va_list 'va2' is leaked}} expected-note{{Initialized va_list}} expected-note{{Initialized va_list}} expected-note{{Initialized va_list}} expected-note{{Initialized va_list 'va' is leaked}} va_start(va, fst), va_start(va2, fst); // expected-warning{{Initialized va_list 'va' is leaked}}
// expected-warning@-1{{Initialized va_list 'va2' is leaked}}
// expected-note@-2{{Initialized va_list}}
// expected-note@-3{{Initialized va_list}}
// expected-note@-4{{Initialized va_list}}
// expected-note@-5{{Initialized va_list 'va' is leaked}}
} }
void in_array(int fst, ...) { void in_array(int fst, ...) {
va_list va_array[8]; va_list va_array[8];
va_start(va_array[3], fst); // expected-note{{Initialized va_list}} va_start(va_array[3], fst); // expected-note{{Initialized va_list}}
} // expected-warning{{Initialized va_list 'va_array[3]' is leaked}} expected-note{{Initialized va_list 'va_array[3]' is leaked}} } // expected-warning{{Initialized va_list 'va_array[3]' is leaked}}
// expected-note@-1{{Initialized va_list 'va_array[3]' is leaked}}
struct containing_a_valist { struct containing_a_valist {
va_list vafield; va_list vafield;
int foobar; int foobar;
}; };
void in_struct(int fst, ...) { void in_struct(int fst, ...) {
struct containing_a_valist s; struct containing_a_valist s;
va_start(s.vafield, fst); // expected-note{{Initialized va_list}} va_start(s.vafield, fst); // expected-note{{Initialized va_list}}
} // expected-warning{{Initialized va_list 's.vafield' is leaked}} expected-note{{Initialized va_list 's.vafield' is leaked}} } // expected-warning{{Initialized va_list 's.vafield' is leaked}}
// expected-note@-1{{Initialized va_list 's.vafield' is leaked}}
void casting(int fst, ...) { void casting(int fst, ...) {
char mem[sizeof(va_list)]; char mem[sizeof(va_list)];
va_start(*(va_list *) mem, fst); // expected-note{{Initialized va_list}} va_start(*(va_list *) mem, fst); // expected-note{{Initialized va_list}}
} // expected-warning{{Initialized va_list 'mem[0]' is leaked}} expected-note{{Initialized va_list 'mem[0]' is leaked}} } // expected-warning{{Initialized va_list 'mem[0]' is leaked}}
// expected-note@-1{{Initialized va_list 'mem[0]' is leaked}}
void castingOk(int fst, ...) { void castingOk(int fst, ...) {
char mem[sizeof(va_list)]; char mem[sizeof(va_list)];
va_start(*(va_list *) mem, fst); va_start(*(va_list *) mem, fst);
va_end(*(va_list *) mem); va_end(*(va_list *) mem);
} // no-warning } // no-warning