doxygen/DivZeroChecker_8cpp_source.html

//== DivZeroChecker.cpp - Division by zero checker --------------*- C++ -*--==//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// This defines DivZeroChecker, a builtin check in ExprEngine that performs

// checks for division by zeros.

//

//===----------------------------------------------------------------------===//


#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Checkers/Taint.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include <optional>


using namespace clang;

using namespace ento;

using namespace taint;


namespace {

class DivZeroChecker : public CheckerFamily<check::PreStmt<BinaryOperator>> {

  void reportBug(StringRef Msg, ProgramStateRef StateZero,

                 CheckerContext &C) const;

  void reportTaintBug(StringRef Msg, ProgramStateRef StateZero,

                      CheckerContext &C,

                      llvm::ArrayRef<SymbolRef> TaintedSyms) const;


public:

  /// This checker family implements two user-facing checker parts.

  CheckerFrontendWithBugType DivideZeroChecker{"Division by zero"};

  CheckerFrontendWithBugType TaintedDivChecker{"Division by zero",

                                               categories::TaintedData};


  void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;


  /// Identifies this checker family for debugging purposes.

  StringRef getDebugTag() const override { return "DivZeroChecker"; }

};

} // end anonymous namespace


static const Expr *getDenomExpr(const ExplodedNode *N) {

  const Stmt *S = N->getLocationAs<PreStmt>()->getStmt();

  if (const auto *BE = dyn_cast<BinaryOperator>(S))

    return BE->getRHS();

  return nullptr;

}


void DivZeroChecker::reportBug(StringRef Msg, ProgramStateRef StateZero,

                               CheckerContext &C) const {

  if (!DivideZeroChecker.isEnabled())

    return;

  if (ExplodedNode *N = C.generateErrorNode(StateZero)) {

    auto R =

        std::make_unique<PathSensitiveBugReport>(DivideZeroChecker, Msg, N);

    bugreporter::trackExpressionValue(N, getDenomExpr(N), *R);

    C.emitReport(std::move(R));

  }

}


void DivZeroChecker::reportTaintBug(

    StringRef Msg, ProgramStateRef StateZero, CheckerContext &C,

    llvm::ArrayRef<SymbolRef> TaintedSyms) const {

  if (!TaintedDivChecker.isEnabled())

    return;

  if (ExplodedNode *N = C.generateErrorNode(StateZero)) {

    auto R =

        std::make_unique<PathSensitiveBugReport>(TaintedDivChecker, Msg, N);

    bugreporter::trackExpressionValue(N, getDenomExpr(N), *R);

    for (auto Sym : TaintedSyms)

      R->markInteresting(Sym);

    C.emitReport(std::move(R));

  }

}


void DivZeroChecker::checkPreStmt(const BinaryOperator *B,

                                  CheckerContext &C) const {

  BinaryOperator::Opcode Op = B->getOpcode();

  if (Op != BO_Div &&

      Op != BO_Rem &&

      Op != BO_DivAssign &&

      Op != BO_RemAssign)

    return;


  if (!B->getRHS()->getType()->isScalarType())

    return;


  SVal Denom = C.getSVal(B->getRHS());

  std::optional<DefinedSVal> DV = Denom.getAs<DefinedSVal>();


  // Divide-by-undefined handled in the generic checking for uses of

  // undefined values.

  if (!DV)

    return;


  // Check for divide by zero.

  ConstraintManager &CM = C.getConstraintManager();

  ProgramStateRef stateNotZero, stateZero;

  std::tie(stateNotZero, stateZero) = CM.assumeDual(C.getState(), *DV);


  if (!stateNotZero) {

    assert(stateZero);

    reportBug("Division by zero", stateZero, C);

    return;

  }


  if ((stateNotZero && stateZero)) {

    std::vector<SymbolRef> taintedSyms = getTaintedSymbols(C.getState(), *DV);

    if (!taintedSyms.empty()) {

      reportTaintBug("Division by a tainted value, possibly zero", stateZero, C,

                     taintedSyms);

      // Fallthrough to continue analysis in case of non-zero denominator.

    }

  }


  // If we get here, then the denom should not be zero. We abandon the implicit

  // zero denom case for now.

  C.addTransition(stateNotZero);

}


void ento::registerDivZeroChecker(CheckerManager &Mgr) {

  Mgr.getChecker<DivZeroChecker>()->DivideZeroChecker.enable(Mgr);

}


bool ento::shouldRegisterDivZeroChecker(const CheckerManager &) { return true; }


void ento::registerTaintedDivChecker(CheckerManager &Mgr) {

  Mgr.getChecker<DivZeroChecker>()->TaintedDivChecker.enable(Mgr);

}


bool ento::shouldRegisterTaintedDivChecker(const CheckerManager &) {

  return true;

}

BugType.h

BuiltinCheckerRegistration.h

CheckerContext.h

CheckerManager.h

Checker.h

CommonBugCategories.h

getDenomExpr
static const Expr * getDenomExpr(const ExplodedNode *N)
Definition DivZeroChecker.cpp:48

Taint.h

clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition Expr.h:4024

clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition Expr.h:4017

clang::BinaryOperator::Opcode
BinaryOperatorKind Opcode
Definition Expr.h:3977

clang::Expr
This represents one expression.
Definition Expr.h:112

clang::Expr::getType
QualType getType() const
Definition Expr.h:144

clang::PreStmt
Definition ProgramPoint.h:300

clang::Stmt
Stmt - This represents one statement.
Definition Stmt.h:85

clang::Type::isScalarType
bool isScalarType() const
Definition TypeBase.h:8980

clang::ento::CheckerContext
Definition CheckerContext.h:24

clang::ento::CheckerFamily
Checker families (where a single backend class implements multiple related frontends) should derive f...
Definition Checker.h:584

clang::ento::CheckerFrontend::isEnabled
bool isEnabled() const
Definition Checker.h:523

clang::ento::CheckerManager::getChecker
CHECKER * getChecker(AT &&...Args)
If the the singleton instance of a checker class is not yet constructed, then construct it (with the ...
Definition CheckerManager.h:199

clang::ento::ConstraintManager::assumeDual
ProgramStatePair assumeDual(ProgramStateRef State, DefinedSVal Cond)
Returns a pair of states (StTrue, StFalse) where the given condition is assumed to be true or false,...
Definition ConstraintManager.cpp:93

clang::ento::ExplodedNode
Definition ExplodedGraph.h:66

clang::ento::ExplodedNode::getLocationAs
std::optional< T > getLocationAs() const &
Definition ExplodedGraph.h:171

clang::ento::SVal::getAs
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition SVals.h:87

clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition BugReporterVisitors.cpp:2641

clang::ento::categories::TaintedData
const char *const TaintedData
Definition CommonBugCategories.cpp:27

clang::ento::taint
Definition Taint.h:21

clang::ento::taint::getTaintedSymbols
std::vector< SymbolRef > getTaintedSymbols(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
Returns the tainted Symbols for a given Statement and state.
Definition Taint.cpp:170

clang::ento
Definition CocoaConventions.h:23

clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition ProgramState_Fwd.h:37

clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition CalledOnceCheck.h:17

clang::LinkageSpecLanguageIDs::C
@ C
Definition DeclCXX.h:3007