Function pointers passed to and called in a variadic function are ignored in the call graph

[lzaoral]

Consider the following C program:

#include <stdarg.h>

void foo(void) {}

void bar(int a, ...)
{
    va_list vaargs;
    va_start(vaargs, a);

    void (*b)(void) = va_arg(vaargs, void(*)(void));
    b();

    va_end(vaargs);
}

int main(void)
{
    bar(5, foo);
}

The corresponding call graph generated by wpa -ander -dump-callgraph main.ll:

Problem: The call to foo from bar is missing. However, if bar isn't variadic, the constructed call graph is correct.

[yuleisui]

This is a very good case. SVF can not handle variadic functions statically for now. We will put this on our list to seek help with this.

[timmyyuan]

@yuleisui I find that variadic arguments have been handled in the SVF here. Is it safe to remove this condition directly so we can connect variadic functions in the call graph?

[yuleisui]

Because pointer analysis can be conservative, it can happen the argument mismatch even if the case is not variadic.

[timmyyuan]

@yuleisui Thanks for the explanation, but the following scene confuses me (I hope %1 can resolve to @bar)

; ModuleID = './test/InitExtFnPtr.bc'
source_filename = "./test/InitExtFnPtr.bc"

@fnptr = global i32 (i32, ...)* @bar, align 8

declare i32 @bar(i32, ...)

define void @foo() {
    %ret = alloca i32, align 4
    %1 = load i32 (i32, ...)*, i32 (i32, ...)** @fnptr, align 8
    %2 = load i32, i32* %ret, align 4
    %call = call i32 (i32, ...) %1(i32 1, i32 256, i32 %2)
    ret void
}

but when I tried:

../svf-latest/Release-build/bin/wpa -ander -print-fp test/InitExtFnPtr.bc

SVF answered:

==================Function Pointer Targets==================

NodeID: 17
CallSite:    %call = call i32 (i32, ...) %1(i32 1, i32 256, i32 %2)     Location:
        !!!has no targets!!!

[yuleisui]

I think one fix is to let matchargs return true if it calls a variadic function. Could you make a pull request?

[timmyyuan]

Sure, PTAL #1031