Index: clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp
+++ clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp
@@ -210,11 +210,18 @@
     if (SR.isLiveRegion(Reg))
       continue;
     LeakedVALists.push_back(Reg);
-    State = State->remove<InitializedVALists>(Reg);
   }
-  if (ExplodedNode *N = C.addTransition(State))
+  ExplodedNode *Pred = C.getPredecessor();
+  if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
     reportLeakedVALists(LeakedVALists, "Initialized va_list", " is leaked", C,
                         N);
+    Pred = N;
+  }
+
+  for (auto Reg : LeakedVALists) {
+    State = State->remove<InitializedVALists>(Reg);
+  }
+  C.addTransition(State, Pred);
 }
 
 // This function traverses the exploded graph backwards and finds the node where
@@ -328,12 +335,16 @@
         return;
       } else if (!State->contains<InitializedVALists>(Arg2) && !Symbolic) {
         if (State->contains<InitializedVALists>(VAList)) {
-          State = State->remove<InitializedVALists>(VAList);
-          RegionVector LeakedVALists{VAList};
-          if (ExplodedNode *N = C.addTransition(State))
+          ExplodedNode *Pred = C.getPredecessor();
+          if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
+            RegionVector LeakedVALists{VAList};
             reportLeakedVALists(LeakedVALists, "Initialized va_list",
                                 " is overwritten by an uninitialized one", C, N,
                                 true);
+            Pred = N;
+          }
+          State = State->remove<InitializedVALists>(VAList);
+          C.addTransition(State, Pred);
         } else {
           reportUninitializedAccess(Arg2, "Uninitialized va_list is copied", C);
         }