clang 22.0.0git
TestAfterDivZeroChecker.cpp
Go to the documentation of this file.
1//== TestAfterDivZeroChecker.cpp - Test after division by zero checker --*--==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines TestAfterDivZeroChecker, a builtin check that performs checks
10// for division by zero where the division occurs before comparison with zero.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
16#include "clang/StaticAnalyzer/Core/Checker.h"
17#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
19#include "llvm/ADT/FoldingSet.h"
20#include <optional>
21
22using namespace clang;
23using namespace ento;
24
25namespace {
26
27class ZeroState {
28private:
29 SymbolRef ZeroSymbol;
30 unsigned BlockID;
31 const StackFrameContext *SFC;
32
33public:
34 ZeroState(SymbolRef S, unsigned B, const StackFrameContext *SFC)
35 : ZeroSymbol(S), BlockID(B), SFC(SFC) {}
36
37 const StackFrameContext *getStackFrameContext() const { return SFC; }
38
39 bool operator==(const ZeroState &X) const {
40 return BlockID == X.BlockID && SFC == X.SFC && ZeroSymbol == X.ZeroSymbol;
41 }
42
43 bool operator<(const ZeroState &X) const {
44 return std::tie(BlockID, SFC, ZeroSymbol) <
45 std::tie(X.BlockID, X.SFC, X.ZeroSymbol);
46 }
47
48 void Profile(llvm::FoldingSetNodeID &ID) const {
49 ID.AddInteger(BlockID);
50 ID.AddPointer(SFC);
51 ID.AddPointer(ZeroSymbol);
52 }
53};
54
55class DivisionBRVisitor : public BugReporterVisitor {
56private:
57 SymbolRef ZeroSymbol;
58 const StackFrameContext *SFC;
59 bool Satisfied;
60
61public:
62 DivisionBRVisitor(SymbolRef ZeroSymbol, const StackFrameContext *SFC)
63 : ZeroSymbol(ZeroSymbol), SFC(SFC), Satisfied(false) {}
64
65 void Profile(llvm::FoldingSetNodeID &ID) const override {
66 ID.Add(ZeroSymbol);
67 ID.Add(SFC);
68 }
69
70 PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ,
71 BugReporterContext &BRC,
72 PathSensitiveBugReport &BR) override;
73};
74
75class TestAfterDivZeroChecker
76 : public Checker<check::PreStmt<BinaryOperator>, check::BranchCondition,
77 check::EndFunction> {
78 const BugType DivZeroBug{this, "Division by zero"};
79 void reportBug(SVal Val, CheckerContext &C) const;
80
81public:
82 void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
83 void checkBranchCondition(const Stmt *Condition, CheckerContext &C) const;
84 void checkEndFunction(const ReturnStmt *RS, CheckerContext &C) const;
85 void setDivZeroMap(SVal Var, CheckerContext &C) const;
86 bool hasDivZeroMap(SVal Var, const CheckerContext &C) const;
87 bool isZero(SVal S, CheckerContext &C) const;
88};
89} // end anonymous namespace
90
91REGISTER_SET_WITH_PROGRAMSTATE(DivZeroMap, ZeroState)
92
93PathDiagnosticPieceRef
94DivisionBRVisitor::VisitNode(const ExplodedNode *Succ, BugReporterContext &BRC,
95 PathSensitiveBugReport &BR) {
96 if (Satisfied)
97 return nullptr;
98
99 const Expr *E = nullptr;
100
101 if (std::optional<PostStmt> P = Succ->getLocationAs<PostStmt>())
102 if (const BinaryOperator *BO = P->getStmtAs<BinaryOperator>()) {
103 BinaryOperator::Opcode Op = BO->getOpcode();
104 if (Op == BO_Div || Op == BO_Rem || Op == BO_DivAssign ||
105 Op == BO_RemAssign) {
106 E = BO->getRHS();
107 }
108 }
109
110 if (!E)
111 return nullptr;
112
113 SVal S = Succ->getSVal(E);
114 if (ZeroSymbol == S.getAsSymbol() && SFC == Succ->getStackFrame()) {
115 Satisfied = true;
116
117 // Construct a new PathDiagnosticPiece.
118 ProgramPoint P = Succ->getLocation();
119 PathDiagnosticLocation L =
120 PathDiagnosticLocation::create(P, BRC.getSourceManager());
121
122 if (!L.isValid() || !L.asLocation().isValid())
123 return nullptr;
124
125 return std::make_shared<PathDiagnosticEventPiece>(
126 L, "Division with compared value made here");
127 }
128
129 return nullptr;
130}
131
132bool TestAfterDivZeroChecker::isZero(SVal S, CheckerContext &C) const {
133 std::optional<DefinedSVal> DSV = S.getAs<DefinedSVal>();
134
135 if (!DSV)
136 return false;
137
138 ConstraintManager &CM = C.getConstraintManager();
139 return !CM.assume(C.getState(), *DSV, true);
140}
141
142void TestAfterDivZeroChecker::setDivZeroMap(SVal Var, CheckerContext &C) const {
143 SymbolRef SR = Var.getAsSymbol();
144 if (!SR)
145 return;
146
147 ProgramStateRef State = C.getState();
148 State =
149 State->add<DivZeroMap>(ZeroState(SR, C.getBlockID(), C.getStackFrame()));
150 C.addTransition(State);
151}
152
153bool TestAfterDivZeroChecker::hasDivZeroMap(SVal Var,
154 const CheckerContext &C) const {
155 SymbolRef SR = Var.getAsSymbol();
156 if (!SR)
157 return false;
158
159 ZeroState ZS(SR, C.getBlockID(), C.getStackFrame());
160 return C.getState()->contains<DivZeroMap>(ZS);
161}
162
163void TestAfterDivZeroChecker::reportBug(SVal Val, CheckerContext &C) const {
164 if (ExplodedNode *N = C.generateErrorNode(C.getState())) {
165 auto R = std::make_unique<PathSensitiveBugReport>(
166 DivZeroBug,
167 "Value being compared against zero has already been used "
168 "for division",
169 N);
170
171 R->addVisitor(std::make_unique<DivisionBRVisitor>(Val.getAsSymbol(),
172 C.getStackFrame()));
173 C.emitReport(std::move(R));
174 }
175}
176
177void TestAfterDivZeroChecker::checkEndFunction(const ReturnStmt *,
178 CheckerContext &C) const {
179 ProgramStateRef State = C.getState();
180
181 DivZeroMapTy DivZeroes = State->get<DivZeroMap>();
182 if (DivZeroes.isEmpty())
183 return;
184
185 DivZeroMapTy::Factory &F = State->get_context<DivZeroMap>();
186 for (const ZeroState &ZS : DivZeroes) {
187 if (ZS.getStackFrameContext() == C.getStackFrame())
188 DivZeroes = F.remove(DivZeroes, ZS);
189 }
190 C.addTransition(State->set<DivZeroMap>(DivZeroes));
191}
192
193void TestAfterDivZeroChecker::checkPreStmt(const BinaryOperator *B,
194 CheckerContext &C) const {
195 BinaryOperator::Opcode Op = B->getOpcode();
196 if (Op == BO_Div || Op == BO_Rem || Op == BO_DivAssign ||
197 Op == BO_RemAssign) {
198 SVal S = C.getSVal(B->getRHS());
199
200 if (!isZero(S, C))
201 setDivZeroMap(S, C);
202 }
203}
204
205void TestAfterDivZeroChecker::checkBranchCondition(const Stmt *Condition,
206 CheckerContext &C) const {
207 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(Condition)) {
208 if (B->isComparisonOp()) {
209 const IntegerLiteral *IntLiteral = dyn_cast<IntegerLiteral>(B->getRHS());
210 bool LRHS = true;
211 if (!IntLiteral) {
212 IntLiteral = dyn_cast<IntegerLiteral>(B->getLHS());
213 LRHS = false;
214 }
215
216 if (!IntLiteral || IntLiteral->getValue() != 0)
217 return;
218
219 SVal Val = C.getSVal(LRHS ? B->getLHS() : B->getRHS());
220 if (hasDivZeroMap(Val, C))
221 reportBug(Val, C);
222 }
223 } else if (const UnaryOperator *U = dyn_cast<UnaryOperator>(Condition)) {
224 if (U->getOpcode() == UO_LNot) {
225 SVal Val;
226 if (const ImplicitCastExpr *I =
227 dyn_cast<ImplicitCastExpr>(U->getSubExpr()))
228 Val = C.getSVal(I->getSubExpr());
229
230 if (hasDivZeroMap(Val, C))
231 reportBug(Val, C);
232 else {
233 Val = C.getSVal(U->getSubExpr());
234 if (hasDivZeroMap(Val, C))
235 reportBug(Val, C);
236 }
237 }
238 } else if (const ImplicitCastExpr *IE =
239 dyn_cast<ImplicitCastExpr>(Condition)) {
240 SVal Val = C.getSVal(IE->getSubExpr());
241
242 if (hasDivZeroMap(Val, C))
243 reportBug(Val, C);
244 else {
245 SVal Val = C.getSVal(Condition);
246
247 if (hasDivZeroMap(Val, C))
248 reportBug(Val, C);
249 }
250 }
251}
252
253void ento::registerTestAfterDivZeroChecker(CheckerManager &mgr) {
254 mgr.registerChecker<TestAfterDivZeroChecker>();
255}
256
257bool ento::shouldRegisterTestAfterDivZeroChecker(const CheckerManager &mgr) {
258 return true;
259}
X
#define X(type, name)
Definition Value.h:97
REGISTER_SET_WITH_PROGRAMSTATE
#define REGISTER_SET_WITH_PROGRAMSTATE(Name, Elem)
Declares an immutable set of type NameTy, suitable for placement into the ProgramState.
Definition ProgramStateTrait.h:112
clang::APIntStorage::getValue
llvm::APInt getValue() const
Definition APNumericStorage.h:53
clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition Expr.h:4024
clang::BinaryOperator::isComparisonOp
static bool isComparisonOp(Opcode Opc)
Definition Expr.h:4074
clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition Expr.h:4026
clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition Expr.h:4019
clang::BinaryOperator::Opcode
BinaryOperatorKind Opcode
Definition Expr.h:3979
clang::SourceLocation::isValid
bool isValid() const
Return true if this is a valid SourceLocation object.
Definition SourceLocation.h:115
clang::ento::BugReporterContext::getSourceManager
const SourceManager & getSourceManager() const
Definition BugReporter.h:744
clang::ento::BugReporterVisitor
BugReporterVisitors are used to add custom diagnostics along a path.
Definition BugReporterVisitors.h:49
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&...Args)
Register a single-part checker (derived from Checker): construct its singleton instance,...
Definition CheckerManager.h:218
clang::ento::Checker
Simple checker classes that implement one frontend (i.e.
Definition Checker.h:553
clang::ento::ConstraintManager::assume
ProgramStateRef assume(ProgramStateRef state, DefinedSVal Cond, bool Assumption)
Definition ConstraintManager.cpp:110
clang::ento::ExplodedNode::getLocation
ProgramPoint getLocation() const
getLocation - Returns the edge associated with the given node.
Definition ExplodedGraph.h:145
clang::ento::ExplodedNode::getStackFrame
const StackFrameContext * getStackFrame() const
Definition ExplodedGraph.h:151
clang::ento::ExplodedNode::getSVal
SVal getSVal(const Stmt *S) const
Get the value of an arbitrary expression at this node.
Definition ExplodedGraph.h:176
clang::ento::ExplodedNode::getLocationAs
std::optional< T > getLocationAs() const &
Definition ExplodedGraph.h:171
clang::ento::PathDiagnosticLocation::create
static PathDiagnosticLocation create(const Decl *D, const SourceManager &SM)
Create a location corresponding to the given declaration.
Definition PathDiagnostic.h:248
clang::ento::SVal::getAsSymbol
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition SVals.cpp:103
clang::ento::SVal::getAs
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition SVals.h:87
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition ProgramState_Fwd.h:37
clang::ento::SymbolRef
const SymExpr * SymbolRef
Definition SymExpr.h:133
clang::ento::PathDiagnosticPieceRef
std::shared_ptr< PathDiagnosticPiece > PathDiagnosticPieceRef
Definition PathDiagnostic.h:492
clang::lifetimes::internal::ProgramPoint
const Fact * ProgramPoint
A ProgramPoint identifies a location in the CFG by pointing to a specific Fact.
Definition LifetimeSafety.h:97
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition CalledOnceCheck.h:17
clang::operator==
bool operator==(const CallGraphNode::CallRecord &LHS, const CallGraphNode::CallRecord &RHS)
Definition CallGraph.h:204
clang::operator<
bool operator<(DeclarationName LHS, DeclarationName RHS)
Ordering on two declaration names.
Definition DeclarationName.h:578
false
#define false
Definition stdbool.h:26
Generated on for clang by doxygen 1.14.0