clang  15.0.0git
DivZeroChecker.cpp
Go to the documentation of this file.
1 //== DivZeroChecker.cpp - Division by zero checker --------------*- C++ -*--==//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This defines DivZeroChecker, a builtin check in ExprEngine that performs
10 // checks for division by zeros.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15 #include "clang/StaticAnalyzer/Checkers/Taint.h"
16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17 #include "clang/StaticAnalyzer/Core/Checker.h"
18 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20 
21 using namespace clang;
22 using namespace ento;
23 using namespace taint;
24 
25 namespace {
26 class DivZeroChecker : public Checker< check::PreStmt<BinaryOperator> > {
27  mutable std::unique_ptr<BuiltinBug> BT;
28  void reportBug(const char *Msg, ProgramStateRef StateZero, CheckerContext &C,
29  std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const;
30 
31 public:
32  void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
33 };
34 } // end anonymous namespace
35 
36 static const Expr *getDenomExpr(const ExplodedNode *N) {
37  const Stmt *S = N->getLocationAs<PreStmt>()->getStmt();
38  if (const auto *BE = dyn_cast<BinaryOperator>(S))
39  return BE->getRHS();
40  return nullptr;
41 }
42 
43 void DivZeroChecker::reportBug(
44  const char *Msg, ProgramStateRef StateZero, CheckerContext &C,
45  std::unique_ptr<BugReporterVisitor> Visitor) const {
46  if (ExplodedNode *N = C.generateErrorNode(StateZero)) {
47  if (!BT)
48  BT.reset(new BuiltinBug(this, "Division by zero"));
49 
50  auto R = std::make_unique<PathSensitiveBugReport>(*BT, Msg, N);
51  R->addVisitor(std::move(Visitor));
52  bugreporter::trackExpressionValue(N, getDenomExpr(N), *R);
53  C.emitReport(std::move(R));
54  }
55 }
56 
57 void DivZeroChecker::checkPreStmt(const BinaryOperator *B,
58  CheckerContext &C) const {
59  BinaryOperator::Opcode Op = B->getOpcode();
60  if (Op != BO_Div &&
61  Op != BO_Rem &&
62  Op != BO_DivAssign &&
63  Op != BO_RemAssign)
64  return;
65 
66  if (!B->getRHS()->getType()->isScalarType())
67  return;
68 
69  SVal Denom = C.getSVal(B->getRHS());
70  Optional<DefinedSVal> DV = Denom.getAs<DefinedSVal>();
71 
72  // Divide-by-undefined handled in the generic checking for uses of
73  // undefined values.
74  if (!DV)
75  return;
76 
77  // Check for divide by zero.
78  ConstraintManager &CM = C.getConstraintManager();
79  ProgramStateRef stateNotZero, stateZero;
80  std::tie(stateNotZero, stateZero) = CM.assumeDual(C.getState(), *DV);
81 
82  if (!stateNotZero) {
83  assert(stateZero);
84  reportBug("Division by zero", stateZero, C);
85  return;
86  }
87 
88  bool TaintedD = isTainted(C.getState(), *DV);
89  if ((stateNotZero && stateZero && TaintedD)) {
90  reportBug("Division by a tainted value, possibly zero", stateZero, C,
91  std::make_unique<taint::TaintBugVisitor>(*DV));
92  return;
93  }
94 
95  // If we get here, then the denom should not be zero. We abandon the implicit
96  // zero denom case for now.
97  C.addTransition(stateNotZero);
98 }
99 
100 void ento::registerDivZeroChecker(CheckerManager &mgr) {
101  mgr.registerChecker<DivZeroChecker>();
102 }
103 
104 bool ento::shouldRegisterDivZeroChecker(const CheckerManager &mgr) {
105  return true;
106 }
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
clang::Type::isScalarType
bool isScalarType() const
Definition: Type.h:7183
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:55
llvm::Optional
Definition: LLVM.h:40
clang::ento::taint::isTainted
bool isTainted(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
Check if the statement has a tainted value in the given state.
clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:3851
BuiltinCheckerRegistration.h
clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3807
CheckerManager.h
clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
clang::PreStmt
Definition: ProgramPoint.h:294
Taint.h
BugType.h
clang::BinaryOperatorKind
BinaryOperatorKind
Definition: OperationKinds.h:25
CheckerContext.h
Checker.h
clang
Definition: CalledOnceCheck.h:17
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:70
getDenomExpr
static const Expr * getDenomExpr(const ExplodedNode *N)
Definition: DivZeroChecker.cpp:36
clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3858
clang::Expr::getType
QualType getType() const
Definition: Expr.h:141
clang::Expr
This represents one expression.
Definition: Expr.h:109
Generated on Wed Jul 6 2022 02:24:19 for clang by   doxygen 1.8.17