doxygen/DivZeroChecker_8cpp_source.html

//== DivZeroChecker.cpp - Division by zero checker --------------*- C++ -*--==//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// This defines DivZeroChecker, a builtin check in ExprEngine that performs

// checks for division by zeros.

//

//===----------------------------------------------------------------------===//


#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Checkers/Taint.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include <optional>


using namespace clang;

using namespace ento;

using namespace taint;


namespace {

class DivZeroChecker : public Checker< check::PreStmt<BinaryOperator> > {

  const BugType BT{this, "Division by zero"};

  const BugType TaintBT{this, "Division by zero", categories::TaintedData};

  void reportBug(StringRef Msg, ProgramStateRef StateZero,

                 CheckerContext &C) const;

  void reportTaintBug(StringRef Msg, ProgramStateRef StateZero,

                      CheckerContext &C,

                      llvm::ArrayRef<SymbolRef> TaintedSyms) const;


public:

  void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;

};

} // end anonymous namespace


static const Expr *getDenomExpr(const ExplodedNode *N) {

  const Stmt *S = N->getLocationAs<PreStmt>()->getStmt();

  if (const auto *BE = dyn_cast<BinaryOperator>(S))

    return BE->getRHS();

  return nullptr;

}


void DivZeroChecker::reportBug(StringRef Msg, ProgramStateRef StateZero,

                               CheckerContext &C) const {

  if (ExplodedNode *N = C.generateErrorNode(StateZero)) {

    auto R = std::make_unique<PathSensitiveBugReport>(BT, Msg, N);

    bugreporter::trackExpressionValue(N, getDenomExpr(N), *R);

    C.emitReport(std::move(R));

  }

}


void DivZeroChecker::reportTaintBug(

    StringRef Msg, ProgramStateRef StateZero, CheckerContext &C,

    llvm::ArrayRef<SymbolRef> TaintedSyms) const {

  if (ExplodedNode *N = C.generateErrorNode(StateZero)) {

    auto R = std::make_unique<PathSensitiveBugReport>(TaintBT, Msg, N);

    bugreporter::trackExpressionValue(N, getDenomExpr(N), *R);

    for (auto Sym : TaintedSyms)

      R->markInteresting(Sym);

    C.emitReport(std::move(R));

  }

}


void DivZeroChecker::checkPreStmt(const BinaryOperator *B,

                                  CheckerContext &C) const {

  BinaryOperator::Opcode Op = B->getOpcode();

  if (Op != BO_Div &&

      Op != BO_Rem &&

      Op != BO_DivAssign &&

      Op != BO_RemAssign)

    return;


  if (!B->getRHS()->getType()->isScalarType())

    return;


  SVal Denom = C.getSVal(B->getRHS());

  std::optional<DefinedSVal> DV = Denom.getAs<DefinedSVal>();


  // Divide-by-undefined handled in the generic checking for uses of

  // undefined values.

  if (!DV)

    return;


  // Check for divide by zero.

  ConstraintManager &CM = C.getConstraintManager();

  ProgramStateRef stateNotZero, stateZero;

  std::tie(stateNotZero, stateZero) = CM.assumeDual(C.getState(), *DV);


  if (!stateNotZero) {

    assert(stateZero);

    reportBug("Division by zero", stateZero, C);

    return;

  }


  if ((stateNotZero && stateZero)) {

    std::vector<SymbolRef> taintedSyms = getTaintedSymbols(C.getState(), *DV);

    if (!taintedSyms.empty()) {

      reportTaintBug("Division by a tainted value, possibly zero", stateZero, C,

                     taintedSyms);

      return;

    }

  }


  // If we get here, then the denom should not be zero. We abandon the implicit

  // zero denom case for now.

  C.addTransition(stateNotZero);

}


void ento::registerDivZeroChecker(CheckerManager &mgr) {

  mgr.registerChecker<DivZeroChecker>();

}


bool ento::shouldRegisterDivZeroChecker(const CheckerManager &mgr) {

  return true;

}

BugType.h

BuiltinCheckerRegistration.h

CheckerContext.h

CheckerManager.h

Checker.h

CommonBugCategories.h

getDenomExpr
static const Expr * getDenomExpr(const ExplodedNode *N)
Definition: DivZeroChecker.cpp:42

Taint.h

clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3840

clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3891

clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:3884

clang::Expr
This represents one expression.
Definition: Expr.h:110

clang::Expr::getType
QualType getType() const
Definition: Expr.h:142

clang::PreStmt
Definition: ProgramPoint.h:290

clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84

clang::Type::isScalarType
bool isScalarType() const
Definition: Type.h:7794

clang::ento::BugType
Definition: BugType.h:27

clang::ento::CheckerContext
Definition: CheckerContext.h:24

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::Checker
Definition: Checker.h:512

clang::ento::ConstraintManager
Definition: ConstraintManager.h:69

clang::ento::ConstraintManager::assumeDual
ProgramStatePair assumeDual(ProgramStateRef State, DefinedSVal Cond)
Returns a pair of states (StTrue, StFalse) where the given condition is assumed to be true or false,...
Definition: ConstraintManager.cpp:93

clang::ento::DefinedSVal
Definition: SVals.h:220

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:66

clang::ento::ExplodedNode::getLocationAs
std::optional< T > getLocationAs() const &
Definition: ExplodedGraph.h:171

clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55

clang::ento::SVal::getAs
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:86

llvm::ArrayRef
Definition: LLVM.h:31

llvm::IntrusiveRefCntPtr< const ProgramState >

clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition: BugReporterVisitors.cpp:2685

clang::ento::categories::TaintedData
const char *const TaintedData
Definition: CommonBugCategories.cpp:27

clang::ento::taint::getTaintedSymbols
std::vector< SymbolRef > getTaintedSymbols(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
Returns the tainted Symbols for a given Statement and state.
Definition: Taint.cpp:169

clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17

clang::LinkageSpecLanguageIDs::C
@ C

clang::BinaryOperatorKind
BinaryOperatorKind
Definition: OperationKinds.h:25